Nmap on FreeBSD: Network Scanner Review

Nmap on FreeBSD: Network Scanner Review

Nmap is the standard network scanning tool. It has been the go-to utility for network discovery and security auditing for over two decades, and it runs well on FreeBSD. This review covers installation, scan types, service and OS detection, the Nmap Scripting Engine, practical audit workflows, and the FreeBSD-specific details that matter when running it in production.

Why Nmap on FreeBSD

FreeBSD is a common choice for firewalls, routers, and network appliances. Running Nmap on the same platform you use for network infrastructure makes sense: you scan from inside the network perimeter, you avoid introducing a separate scanning OS, and you benefit from FreeBSD's robust networking stack. Nmap's raw socket usage works without issues on FreeBSD, and BPF (Berkeley Packet Filter) -- which originated on BSD -- provides efficient packet capture.

Installation

Binary Package

sh
pkg install nmap

This installs nmap, ncat, nping, and ndiff. The NSE script library is included.

Ports

sh
cd /usr/ports/security/nmap
make install clean

The ports build offers options for Zenmap (the GUI), which requires Python and GTK dependencies. On a headless server, skip it.

Verify Installation

sh
nmap --version

You should see version 7.9x or later. The package also installs NSE scripts to /usr/local/share/nmap/scripts/ and the service probes database to /usr/local/share/nmap/nmap-service-probes.

Host Discovery

Before scanning ports, Nmap determines which hosts are alive. The default discovery method depends on privileges.

As Root

Running as root (or with appropriate privileges), Nmap sends ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests:

sh
nmap -sn 192.168.1.0/24

The -sn flag disables port scanning and performs host discovery only. This is your network inventory tool.

ARP Discovery on Local Segments

On local Ethernet segments, ARP discovery is faster and more reliable:

sh
nmap -sn -PR 192.168.1.0/24

ARP requests cannot be blocked by host firewalls, making this the most reliable local discovery method.

Dealing with Firewalls

When ICMP is blocked, use TCP-only discovery:

sh
nmap -sn -PS22,80,443 -PA3389 10.0.0.0/16

-PS sends SYN packets to specified ports; -PA sends ACK packets. Combining both catches hosts with different firewall configurations.

Large Network Scans

For scanning Class B or larger networks, adjust timing:

sh
nmap -sn -T4 --min-hostgroup 256 10.0.0.0/16

-T4 sets aggressive timing. --min-hostgroup processes hosts in batches of 256, improving throughput for large scans.

Port Scanning Techniques

Nmap supports multiple scan types, each with different stealth and accuracy characteristics.

TCP SYN Scan (Default)

sh
nmap -sS 192.168.1.1

Sends SYN, waits for SYN/ACK (open) or RST (closed). Never completes the handshake. Requires root privileges. This is the default scan type when running as root and the best general-purpose option.

TCP Connect Scan

sh
nmap -sT 192.168.1.1

Uses the OS's connect() call. Works without root privileges but is slower and more detectable because it completes the full TCP handshake.

UDP Scan

sh
nmap -sU --top-ports 100 192.168.1.1

UDP scanning is inherently slow because there is no handshake. Rate-limit ICMP unreachable messages on FreeBSD can throttle this further. Scanning the top 100 UDP ports is practical; scanning all 65535 is not, unless you have hours to spare.

Combining TCP and UDP

sh
nmap -sS -sU --top-ports 200 192.168.1.1

Specific Port Ranges

sh
# Scan specific ports
nmap -sS -p 22,80,443,8080-8090 192.168.1.1

# Scan all 65535 ports
nmap -sS -p- 192.168.1.1

# Scan top 1000 ports (default)
nmap -sS 192.168.1.1

Service and Version Detection

Port scanning tells you what is open. Service detection tells you what is running.

sh
nmap -sV 192.168.1.1

The -sV flag probes open ports with protocol-specific requests and matches responses against the nmap-service-probes database. It identifies application name, version, and sometimes additional metadata.

Intensity Levels

sh
# Light probe (faster, less accurate)
nmap -sV --version-intensity 2 192.168.1.1

# Full probe (slower, more accurate)
nmap -sV --version-intensity 9 192.168.1.1

Default intensity is 7. For a quick survey, drop to 2. For a thorough audit, use 9.

Practical Example

sh
nmap -sS -sV -p 22,25,80,143,443,993,3306,5432 mail.example.com

This scans a mail server's typical ports and identifies the software versions. Output like OpenSSH 9.7p1, Postfix smtpd, or nginx 1.26.1 tells you immediately what needs patching.

OS Fingerprinting

sh
nmap -O 192.168.1.1

Nmap sends crafted packets and analyzes responses to determine the target's operating system. On FreeBSD targets, it typically identifies the major version correctly (e.g., "FreeBSD 13.x" or "FreeBSD 14.x").

Combine with service detection for a complete picture:

sh
nmap -A 192.168.1.1

The -A flag enables OS detection, version detection, script scanning, and traceroute. This is the "tell me everything" option.

Nmap Scripting Engine (NSE)

NSE is what elevates Nmap from a port scanner to a security assessment platform. Scripts are written in Lua and stored in /usr/local/share/nmap/scripts/.

Script Categories

• auth: Authentication bypass and brute force
• broadcast: Network broadcast discovery
• default: Safe scripts run with -sC
• discovery: Additional service discovery
• exploit: Actual exploitation (use with caution)
• vuln: Vulnerability detection

Running Default Scripts

sh
nmap -sC 192.168.1.1

The -sC flag runs scripts in the default category. These are safe for production networks and include SSL certificate inspection, HTTP title extraction, SMB share enumeration, and DNS zone transfer attempts.

Specific Script Examples

sh
# Check for known vulnerabilities
nmap --script vuln 192.168.1.1

# SSL/TLS audit
nmap --script ssl-enum-ciphers -p 443 192.168.1.1

# HTTP enumeration
nmap --script http-enum -p 80,443 192.168.1.1

# SMB vulnerability check
nmap --script smb-vuln* -p 445 192.168.1.1

# DNS zone transfer
nmap --script dns-zone-transfer --script-args dns-zone-transfer.domain=example.com -p 53 ns1.example.com

Updating Scripts

sh
nmap --script-updatedb

This rebuilds the script database after adding custom scripts to /usr/local/share/nmap/scripts/.

Practical Security Audit Workflows

Internal Network Audit

sh
# Phase 1: Discovery
nmap -sn -oG discovery.gnmap 10.0.0.0/16

# Phase 2: Extract live hosts
grep "Status: Up" discovery.gnmap | awk '{print $2}' > live_hosts.txt

# Phase 3: Full port scan of live hosts
nmap -sS -sV -sC -O -p- -iL live_hosts.txt -oA full_audit --max-retries 2 -T4

External Perimeter Scan

sh
nmap -sS -sV --script "default and safe" -p- -T3 -oA perimeter_scan example.com

Use -T3 (normal) timing for external scans to avoid triggering rate limits or IDS alerts.

Firewall Rule Verification

sh
# ACK scan to map firewall rules
nmap -sA -p 1-1024 firewall.example.com

# Compare with SYN scan
nmap -sS -p 1-1024 firewall.example.com

An ACK scan reveals which ports are filtered vs. unfiltered, regardless of whether they are open. Combined with a SYN scan, you can map the firewall's behavior.

Continuous Monitoring with Ndiff

sh
# Baseline scan
nmap -sS -sV -oX baseline.xml 192.168.1.0/24

# Later scan
nmap -sS -sV -oX current.xml 192.168.1.0/24

# Compare
ndiff baseline.xml current.xml

Ndiff highlights new hosts, removed hosts, changed ports, and changed services. Automate this via cron for change detection.

Output Formats

Nmap supports multiple output formats. Always save results.

sh
# All formats at once (-oA basename)
nmap -sS -sV -oA scan_results 192.168.1.0/24

# This creates:
# scan_results.nmap  - human readable
# scan_results.xml   - XML (for parsing and tools)
# scan_results.gnmap - greppable format

The XML output is essential for integration with vulnerability management tools, SIEM systems, and custom reporting scripts.

FreeBSD-Specific Notes

BPF Permissions

Nmap uses BPF for packet capture. By default, only root can access /dev/bpf*. To allow a non-root user to run SYN scans:

sh
# Add user to the network group (not recommended for production)
# Better: use sudo or doas for privileged scans
pkg install doas
echo "permit nopass sysadmin as root cmd /usr/local/bin/nmap" >> /usr/local/etc/doas.conf

PF Interaction

If you run PF on the scanning host, be aware that state table entries are created for each probe. A full scan of a large network can fill the state table:

sh
# Check state table size
pfctl -si | grep "current entries"

# Increase if needed in /etc/pf.conf
# set limit states 500000

Scanning from a Jail

Nmap requires raw socket access, which is disabled in jails by default. To enable it:

sh
# In jail.conf or via sysctl
allow.raw_sockets = 1;

This has security implications. Only enable raw sockets in jails dedicated to security scanning.

Performance Tuning

Timing Templates

| Flag | Name | Use Case |

|------|------|----------|

| -T0 | Paranoid | IDS evasion |

| -T1 | Sneaky | IDS evasion |

| -T2 | Polite | Reduced bandwidth |

| -T3 | Normal | Default |

| -T4 | Aggressive | Fast, reliable networks |

| -T5 | Insane | Very fast, may miss results |

For internal networks, -T4 is the sweet spot. For external audits, stick with -T3.

Parallelism

sh
nmap -sS --min-parallelism 100 --max-parallelism 256 -T4 10.0.0.0/16

Rate Limiting

sh
# Limit to 1000 packets per second (useful when scanning through firewalls)
nmap -sS --max-rate 1000 192.168.1.0/24

Verdict

Nmap on FreeBSD works exactly as you would expect. The installation is clean, the BPF integration is native, and every feature works without compromise. It is the single most important tool in a network administrator's security toolkit.

There is nothing FreeBSD-specific that degrades the Nmap experience. If anything, running Nmap on a BSD system feels natural given the shared heritage with libpcap and BPF.

Rating: 9/10 -- Loses one point only because Zenmap (the GUI) is awkward to install on headless FreeBSD servers, but that is a non-issue for the target audience.

Frequently Asked Questions

How do I scan IPv6 hosts with Nmap on FreeBSD?

Use the -6 flag:

sh
nmap -6 -sS -sV fe80::1%em0

FreeBSD's IPv6 stack works well with Nmap. Specify the interface with %ifname for link-local addresses.

Can Nmap detect if a port is filtered by PF?

Yes. A SYN scan reports ports as "filtered" when no response is received (PF drops the packet) or when an ICMP unreachable is returned. Use -sA (ACK scan) for additional firewall mapping.

How do I scan without triggering IDS alerts?

Use slow timing and fragmentation:

sh
nmap -sS -T1 -f --data-length 24 192.168.1.1

-f fragments packets; --data-length appends random data. This evades simple signature-based IDS. Sophisticated IDS will still detect the scan.

What is the difference between clamscan and nmap for vulnerability scanning?

They serve completely different purposes. ClamAV (clamscan) scans files for malware signatures. Nmap scans networks for open ports and vulnerabilities. They are complementary, not alternatives.

How do I save Nmap results to a database?

Use the XML output (-oX) and import into tools like Metasploit or OpenVAS. For a lightweight approach, parse the XML with a script and insert into PostgreSQL or SQLite.

Does Nmap work over VPNs on FreeBSD?

Yes. SYN scans work over WireGuard, OpenVPN, and IPsec tunnels. Ensure the tunnel interface MTU is sufficient for Nmap's probes. If you see unreliable results, try --mtu to set a specific MTU value.