Hi,
Just to let you know, regarding my previous post:
> In particular, I used SET instead of CONNMARK to implement the rules
> described by Jan Engelhardt in "Detecting and deceiving network scans".
(Has nothing to do with IP sets.)
As it turns out, some legitimate clients open and close TCP connections
in a way which makes them behave like connect scans. This makes the
attempt detecting those scans by the mentioned rules look less appealing.
Best Regards,
Rudolf
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
