> I recently thought about the following. If a port is closed the host > refuses the connection. What does the host exactly response?
It sends a reset. > Is it necessary that the host responses on a closed port (couldn't that be > managed in some way with timeouts)? If the host is alive it sends back a reset so that you don't have to wait for the timeout, otherwise the application would be stalled waiting for the timeout. > Could you suggest a way to make ipchains act like a port was closed when > filtering it, so that a portscanner from certain machines wouldn't notice > the firewall? Use '-j REJECT' instead of '-j DROP'. For more info on this subject you can see my paper "Firewall rule exposure on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html) but your best bet is one of Fyodor's papers on how nmap (http://www.insecure.org/nmap/) works. -G_E
