thomas lakofski <[EMAIL PROTECTED]> writes: > On Tue, 13 Nov 2001, phadell wrote: > > > I would like to do a rule that mirror the packets that incoming from a > > portscanner. The rule must return the packets to the source. If anyone > > scan my machine ports, the result will be the list of source address > > open ports. > > this will enable an attacker to bounce arbitrary packets off your machine > to any target by spoofing source address -- probably not what you would > want to happen...
Frying pan: If done properly... it's a risk, but one that's assessable. > if you want to stop portscans maybe portsentry would help you? Fire: If you use portsentry in dynamic mode, you're open to spoofed IP#s just as much - someone making you block your nameserver or default route would be favourite. (Not to mention, how do you get it to "protect" a serve that's already on a port...?) If you want to stop port-scans, use a proper firewall with DENY (ipchains) or DROP (iptables) by default. Use either snort or, at a push, portsentry, to spot incoming packets matching signatures of known exploits, for `cool, I dropped the packet anyway' factor. ~Tim -- Move a mountain / Fill the ground |[EMAIL PROTECTED] Take death on wheels / Re-create the land |http://spodzone.org.uk/
