On Tue, Feb 03, 2004 at 02:09:42PM +0100, François TOURDE wrote: > Le 12451i?me jour apr?s Epoch, > Richard Atterer écrivait: > > > On Tue, Feb 03, 2004 at 05:38:40AM +0100, Philipp Schulte wrote: > >> No, with REJECT they would show up as "closed". DROP produces "filtered". > > > > FWIW, you also need "--reject-with tcp-reset" to fool nmap. > > But I think DROP is the best way, 'cause it slow down NMAP or other > sniffers. Sniffers must wait packet timeout, then retry, then wait, > etc.
Check out the TARPIT target [*] if you're to take this route, but beware it is really a killer patch--at least, we've had a misconfigured rule that caused significant head ache to our legitim users. [*] http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-TARPIT bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever? | 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
