On Tue, May 28, 2002 at 10:21:40PM +0200, Maciej Soltysiak wrote: > in my opinion, the only 100% sure place to put DROP is on a router, that > is only a router and does not have any ports open.
Why is that? > > In other situation i am considering to REJECT with tcp-reset to TCP > and reject with icmp dest-unreach port-unreach to UDP. > > BTW, i posted a patch to netfilter-devel on saturday that allows us to: > > iptables -A INPUT -m ipunusedbit -j LOG --log-prefix "Unused: " > > > The IP unused bit can be set with the tool sing for example. > > That is one of many ways described by Ofir Arkin to do very discrete OS > fingerprinting. > > Anybody interested in this? Yes. Plus some docs. Ramin
