Thanks for the excellent explanation, Maciej. I guess what I was asking was if he blocks either "ALL ACK" or "ACK ACK" then he cannot do any TCP anymore...while there was no mention of -m state --state NEW...
Ramin On Mon, May 06, 2002 at 10:18:47PM +0200, Maciej Soltysiak wrote: > > May I ask you why you want to do this? Especially when you don't know > > the difference between "ALL ACK" and "ACK ACK" ;-) > He propably needs that to block nmap's initial ACK packet. > If you tcpdump traffic generated by: > nmap -s? -p 53 1.2.3.4 > > where ? is any of S,X,F,N. > > you will see: > 1. icmp echo sent to 1.2.3.4 > 2. a single ACK packet to 1.2.3.4:80 > 3. The scan to 1.2.3.4:53 > > of course between 1 & 2 and 2 & 3 there may be packets generated by > 1.2.3.4 as replies to those packets. > If you block 1 (icmp echo request) nmap will say that the host is down, > and will suggest using -P0 option. > > If you block 2, i don't know what happens, never looked into the sources. > I guess that packets is meant to be a check for a primitive firewall. > If there is one, that let's ACK in, and XMAS not, it _may_ be the case. > > Also maybe that ACK packet is used in OS fingerprinting. > Maybe it checks for specific TCP parameters for the expected RST/ACK > packet. > > > Best Regards, > Maciej Soltysiak >
