[ale] nmap and REJECT rules
Chris Ricker
kaboom at oobleck.net
Mon May 9 15:42:08 EDT 2005
On Mon, 9 May 2005, Christopher Fowler wrote:
> I assumed REJECT was the same as if there was nothing listening on that
> port.
For TCP, connections to an unbound port are normally replied to with a TCP
reset
For UDP, connections to an unbound port are normally replied to with a
ICMP port unreachable
iptables -j REJECT by default does ICMP port unreachable replies for both
TCP and UDP, so connections to a port filtered by -REJECT look the same as
connections to an unbound port for UDP but different than connections to
an unbound port for TCP
iptables -p tcp -j REJECT --reject-with tcp-reset for TCP rules will
ensure that connections to that port receive a TCP reset in reply
The -j REJECT --reject-with tcp-reset is broken in a lot of vendors
kernels, so if you want to use it, actually test it first and verify by
packet capture that it does respond with a TCP reset and not an ICMP port
unreachable
iptables -j DROP discards without response, so it's always different than
an unbound port, and therefore always visible
later,
chris
More information about the Ale
mailing list