[ale] nmap and REJECT rules

Chris Ricker kaboom at oobleck.net
Mon May 9 15:42:08 EDT 2005


On Mon, 9 May 2005, Christopher Fowler wrote:

> I assumed REJECT was the same as if there was nothing listening on that
> port.

For TCP, connections to an unbound port are normally replied to with a TCP 
reset

For UDP, connections to an unbound port are normally replied to with a 
ICMP port unreachable

iptables -j REJECT by default does ICMP port unreachable replies for both 
TCP and UDP, so connections to a port filtered by -REJECT look the same as 
connections to an unbound port for UDP but different than connections to 
an unbound port for TCP

iptables -p tcp -j REJECT --reject-with tcp-reset for TCP rules will 
ensure that connections to that port receive a TCP reset in reply

The -j REJECT --reject-with tcp-reset is broken in a lot of vendors 
kernels, so if you want to use it, actually test it first and verify by 
packet capture that it does respond with a TCP reset and not an ICMP port 
unreachable

iptables -j DROP discards without response, so it's always different than 
an unbound port, and therefore always visible

later,
chris



More information about the Ale mailing list