thanks for that :-) Andy Wood <andy.wood@sptrm.com>@lists.netfilter.org on 10/22/2002 05:46:26 PM Sent by: netfilter-admin@lists.netfilter.org To: Antonio Paulo Salgado Forster/Brazil/IBM@IBMBR cc: netfilter@lists.netfilter.org Subject: RE: nmap echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max Value should depend on RAM -----Original Message----- From: Antonio Paulo Salgado Forster [mailto:aforster@br.ibm.com] Sent: Tuesday, October 22, 2002 3:19 PM To: Antony Stone Cc: netfilter@lists.netfilter.org Subject: Re: nmap I had problems on scanning through netfilter depending on the kind of scan you run.. One of the problems you may face in case you run a ACK scan from a segment that has the permition for the traffic, you will have your conntrack full in a few seconds with ESTABLISHED connections that will take long to disappear.. The same will happen when portscanning from the firewall box with a default policy for OUTPUT set as ACCEPT. One of the ways to fix this is to increase the size of the conntrack.. I use to do that when creating the box by changing the source code and recompiling the kernel... but I dont know if there are any side effects on doing that.. --Regards, Forster Antony Stone <Antony@Soft-Solutions.co.uk>@lists.netfilter.org on 10/22/2002 03:31:42 PM Sent by: netfilter-admin@lists.netfilter.org To: netfilter@lists.netfilter.org cc: Subject: Re: nmap On Tuesday 22 October 2002 4:42 pm, antonio wrote: > Hi Everyone, > > Just a question: > I want to set up a firewall box with iptables in which I can use nmap. > Which ports/protocols can I set to ACCEPT and which to DROP? Do you mean you want to run nmap on a box also running netfilter, to scan other machines ? If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with a single rule: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT and you'll be able to scan other machines and get the replies back, but anything new coming in to your machine will be blocked. If I didn't understand correctly what you wanted to do please give more details. Antony. -- Which part of 'apt-get dist-upgrade' do you not understand ???
