Only issue is with last statement, you can use a -P0 on nmap and it will not ping the victim first.
thanks On Wednesday 27 March 2002 10:18 am, Maciej Soltysiak wrote: > Hello, > > to understand why nmap shows these result I have been tcpdumping the scans > and looking what is going on. I found that, if you simply DROP the Xmas, > Null, etc. scans (not Syn scan) you are going to get 'filtered' answer. > > Unfortunatelly all my rules went to hell, while toying with lvm, i have > just set up this computer. > > But in my opinion the best way to handle scanning is to apply rules in > this order: > 1. check if it is URG,PSH,FIN if so REJECT with TCP Reset > 2. the same goes for Null and FIN scans > 3. some other rules for an invalid combination goes here :) > 3. use the PSD module (REJECT/DROP your choice), > but at this step, this rule applies only to Syn scans and UDP scans > and everything you are not checking in previous steps. > 4. use Unclean to DROP the packets > > This way, nmap will show closed for all ports using xmas scans > It will react to Syn scans later on > It will react to other sort of invalid traffic. > > eg. using only unclean, can give this sort of result you are getting, > which are the result of improper handling of the scans. > > note, that hping2 has its own interpretation of Xmas and Ymas, it uses > reserved bits AFAIK. > > I hope this answer clears your doubts. > > Remember, the scanning tool, sends some stuff and then looks for > everything that would suggest that someone is trying to defend himself. > > One last note. I remember that nmap acts strange. Before nmap issues his > Scans, he ALWAYS pings, and then sends an ACK to port 80. > > I think that if you could use the recent module to check for and ACK dport > 80 after a ping, you could easily catch all nmap scans. > But i say catch, they way you should answer may depend on the type of > scan. > > Have a nice day, > Maciej Soltysiak -- Chief Security Engineer | Daniel Fairchild [EMAIL PROTECTED] Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
