Windows AdvFirewall and nmap scans
I come from a Unix background but got the task of configuring a Windows firewall on a public facing server.
I find awkward that any nmap scan I perform against the public IP reports all TCP ports from 1 to 65389 as open regardless of the Windows default rule of not allowing Inbound connections that do not match a rule.
I even got locked out of remote desktop after selecting "Block All Connections" on the Inbound rule of one of the profiles but still nmap shows:
3389/tcp open ms-term-serv
How is this explained
You're scanning the public ip address, which is assigned to the router/firewall, some ports are NAT'ed/forwarded to the server, the rest are not. The server isn't responding to your nmap scan, the router/firewall is, except for those ports that are NAT'ed/forwarded to the server, which will be reported as open, as they should be.
That's why it appears that all ports are open on the server. you need to look at the router/firewall configuration to determine why IT is reporting those ports as open (except for those ports that are NAT'ed/forwarded to the server).