> Mmmm - OK this should set TOS 0xc0 on all Incoming TCP packets (I think) > so would that not tell Nmap that something has changed maybe (I am not > sure how Nmap deals with TOS settings)? I thought so too, but having only PREROUTING or OUTPUT does not appear to be detected by nmap as a change. Also my experience tells me that nmap it such case likes to say (filtered)
> What happens with only the PREROUTING FTOS setting ? Says closed. Really. When I use TOS instead of FTOS, on both chains the result is: closed. > My suspicion is that the PREROUTING setting the TOS on inbound packets > causes Nmap to "think" something about the packets. After all Nmap is > expecting to receive the actual communications from the victim. Nmap is smart you know. Did you notice that in the dump, nmap first issues icmp echo req. then sends ACK to port 80, and THEN issues the packets as told in the commandline. > Thanks for the interesting report - I am curious what the Nmap is thinking > in this case... You are welcome, i guess that we are all curious. Just for the pure investigation satisfaction :) Maciej Soltysiak
