A client is running a secure ftp server on a non-standard port. I had our isp  forward this port to a pc on our lan. Although I can apparently ping the server from the pc: "nmap -PN -p [port] [ip address]" returns
---
Nmap scan report for [ip address]
Host is up.
PORT      STATE    SERVICE
[port]/tcp filtered unknown

---
I can't establish an ssh, ftp, or sftp connection via shell, or filezilla ftp client. I don't think it's a login issue, the connection attempts just time out. The server admin said he might need to add my ip address to their firewall white list, in the meantime I'm trying to determine if the problem could be at my end: "nmap -p [port] [lan ip address]" returns
---
Interesting ports on [lan ip address]:
PORT      STATE  SERVICE
[port]/tcp closed unknown
---

Not sure what this means. Do I need to open this port on the local pc (it does not have a firewall, and allegedly default iptables allow all traffic)?

Or does "closed" just mean the port is not currently in use?

Unless it's some really horribly restrictive firewall on the PC, it should still allow outbound traffic and it's associated response.

Checking your own PC probably won't help since it won't be sending the traffic out on the same port that it's trying to get to; it's more likely to choose a random, higher-number port. Firewall or router logs should help you work out which one it's using.

If you can ping the remote host, then you know that everything is working in a routing sense. It's most likely a whitelist on the server, yes.

Ok thanks, yeah that makes the most sense.

Why did you need your ISP to forward anything if the server is running at the clients site?

Good question. I missed that whole sentence.

I dunno, I asked them if it was needed and they said yes (and they admin our firewall).

I think they may have been wrong. All they'd need to do is allow outbound traffic to the remote IP address on the non-standard port, and make sure the NAT/PAT is pointing the return traffic back to your PC. Unless they've got some funky, overly-complicated setup. Which wouldn't surprise me.

It's not something like his ISP remotely manage his router or something is it? I've never heard of such a thing but it sounds like that and he is Canadian and I've heard how their mobile phones work.

Well the non-standard port (all of them, in fact and a good many standard ones as well) is blocked by default by our isp, so if I want to do anything on such a port, I have to request they open and forward it to a particular pc behind the firewall. I have a staging server configured with its own firewall, and I had to open its ports too. I going to do this secure ftp thing on a different pc (to which the port is forwarded), which I believe is not currently blocking any ports, but just thought I'd ask here in case I might have overlooked something.

They have to open port for outbound traffic?!

Usually port forwarding is for inbound traffic. Or at least it is domestically. Is there a reason they have this port blocking system? Rather than just letting you admin the router to decide what ports are forwarded inbound?

That's mad.

No, that makes sense. From a security point of view, you just block everything inbound, and only open what is needed as it becomes needed.

But that's only for traffic that originates outside the firewall/router. For traffic that originates inside the firewall going to the outside, I'd normally expect pretty much everything to be open, with the firewall allowing reply/acknowledgment traffic to pass through as well. I'm sure there's a technical term for that, but I'm buggered if I can think fo it right now.

BOFH?

That would piss me off massively. If I had to phone my ISP every time I wanted to host a game...

Which is why most sensible ISPs give you some way of doing it yourself. Even if it rarely works properly (I'm looking at you, BT).

Hmm, BT don't block shit do they (other than bad stuff). I just forward stuff on my router and it works (I'm on BT, like).

You've got Broadband? :O

If it's not being explicitly forwarded to your PC, then it's almost definitely blocked by default at your router. Otherwise it would be an open route into your network.

I doubt BT universally block anything inside their network before it gets to your router.

Yes (cheer)

I'll probably still be on 8meg when you lot are on gigabit internet.

Internet access at uni is rubbish. I'm being limited by the speed of the 54MB wifi connection :(

*downloads the internet*