nmap: Scan Ports to See What Is Reachable in CI
nmap scans a host for open ports and reports each as open, closed, or filtered, which tells you whether a firewall or a stopped service is the problem.
nmap goes beyond a single-port check: it tells closed (refused) apart from filtered (silently dropped), which is exactly the distinction between "service not running" and "firewall blocking" that CI connectivity bugs hinge on.
What it does
nmap probes the requested ports and classifies each. "open" means a service accepted the connection, "closed" means the host replied with a reset (reachable, nothing listening), and "filtered" means no reply at all (a firewall is dropping packets). That three-way result is more informative than a single nc check.
Common usage
# scan specific ports on a host
nmap -p 5432,6379,443 db.internal
# skip host discovery (ICMP often blocked); just scan
nmap -Pn -p 5432 db.internal
# TCP connect scan, no root needed
nmap -sT -p 443 api.example.comOptions
| Flag | What it does |
|---|---|
| -p <ports> | Ports to scan (list, range, or 1-65535) |
| -Pn | Skip host discovery, treat host as up |
| -sT | TCP connect scan (no raw sockets, no root) |
| -sS | SYN scan (faster, needs root) |
| -n | Do not resolve hostnames |
| --open | Show only open ports |
In CI
Add -Pn in cloud and container networks where ICMP is blocked, otherwise nmap may decide the host is down and skip the scan entirely. Use -sT when running without root, since the default SYN scan needs raw-socket privileges the runner may not have.
Common errors in CI
"Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn" means discovery failed; add -Pn. A port shown as "filtered" means a firewall is dropping packets, not that the service is down; "closed" means the service is not listening. "You requested a scan type which requires root privileges" means using -sT instead of -sS.