> Thanks for the excellent explanation, Maciej. I guess what I was > asking was if he blocks either "ALL ACK" or "ACK ACK" then he > cannot do any TCP anymore...while there was no mention of > -m state --state NEW... That is true. Without -m state, you disable TCP completely.
My nmap blocking rules have: -p tcp ALL ACK --state NEW -j REJECT --reject-with tcp-reset. Also i have made a trick to fool nmap, that the host is down. (unless -P0 is specified in the command line) -p icmp --icmp-type echo-request -m length --length 120:122 -j ACCEPT With this I block all pings, but when I want to ping I just send pings with 120 byte payload: windows: ping -l 120 host.ip.is.here linux/*nix ping -s 120 host.ip.is.here The rest of ICMPs either get in by ESTABLISHED, or if not get DROPPED. I think it is a good way to handle ICMP. Regards, Maciej
