[ale] Nmap + filtered ports
Chris Ricker
kaboom at oobleck.net
Fri Dec 16 17:47:37 EST 2005
On Fri, 16 Dec 2005, Jeff Hubbs wrote:
> I'm confused. My man iptables says "DROP means to drop the packet on
> the floor." http://www.gophernet.org/articles/iptables.html has a more
> verbose explanation. REJECT actually returns something, doesn't it?
That's the whole point -- you have to return something if you want it to
look "normal"
If you connect to a normal, unfiltered port with nothing listening on it,
a compliant TCP/IP stack does not drop your connecting packet on the
floor. Instead, it returns a response that lets you know there's no
service listening on that port:
* for TCP, it returns a TCP reset
* for UDP, it returns an ICMP port unreachable
By using the "-p tcp -j REJECT --reject-with tcp-reset" or "-p udp -j
REJECT", your filter response is the same as an unfiltered, unbound port's
response
That's not to say an "iptables -p tcp -j REJECT --reject-with tcp-reset"
is undetectable, just that it's a lot less obvious than an "iptables -p
tcp -j DROP". Whether that's good or bad is situation-dependent and
opinion-dependent ;-)
later,
chris
More information about the Ale
mailing list