Le 12451ième jour après Epoch, Richard Atterer écrivait: > On Tue, Feb 03, 2004 at 05:38:40AM +0100, Philipp Schulte wrote: >> No, with REJECT they would show up as "closed". DROP produces "filtered". > > FWIW, you also need "--reject-with tcp-reset" to fool nmap.
But I think DROP is the best way, 'cause it slow down NMAP or other sniffers. Sniffers must wait packet timeout, then retry, then wait, etc. -- "Problem solving under linux has never been the circus that it is under AIX." (By Pete Ehlke in comp.unix.aix)
