Hello, to understand why nmap shows these result I have been tcpdumping the scans and looking what is going on. I found that, if you simply DROP the Xmas, Null, etc. scans (not Syn scan) you are going to get 'filtered' answer. Unfortunatelly all my rules went to hell, while toying with lvm, i have just set up this computer. But in my opinion the best way to handle scanning is to apply rules in this order: 1. check if it is URG,PSH,FIN if so REJECT with TCP Reset 2. the same goes for Null and FIN scans 3. some other rules for an invalid combination goes here :) 3. use the PSD module (REJECT/DROP your choice), but at this step, this rule applies only to Syn scans and UDP scans and everything you are not checking in previous steps. 4. use Unclean to DROP the packets This way, nmap will show closed for all ports using xmas scans It will react to Syn scans later on It will react to other sort of invalid traffic. eg. using only unclean, can give this sort of result you are getting, which are the result of improper handling of the scans. note, that hping2 has its own interpretation of Xmas and Ymas, it uses reserved bits AFAIK. I hope this answer clears your doubts. Remember, the scanning tool, sends some stuff and then looks for everything that would suggest that someone is trying to defend himself. One last note. I remember that nmap acts strange. Before nmap issues his Scans, he ALWAYS pings, and then sends an ACK to port 80. I think that if you could use the recent module to check for and ACK dport 80 after a ping, you could easily catch all nmap scans. But i say catch, they way you should answer may depend on the type of scan. Have a nice day, Maciej Soltysiak
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 09:51:43 PST