Im having trouble port scanning a stealthed host from behind NAT, why?
This is because each probe you send out causes the creation of a new NAT table entry, and the number of entries that can be stored in the table is finite. Since your probes are not receiving closed port replies (RST for TCP and ICMP type 3, code 3 for UDP), the entries remain in the table until their prescribed timeout period has elapsed. When the table becomes full, the router is forced to drop subsequent probes. This means that the results of your scan will be false since probes that are sent when the table is full will not make it to the target host and will result in a “filtered” or “stealth” (or perhaps “open” in the case of UDP) report regardless of the state of the port they were directed at. To combat this you can set a shorter table timeout for the protocol of interest if your device allows for this and send your probes slower if your scanner allows you to. You could also try asking the administrator of the target host to temporarily “un-stealth” his firewall. You do know the