Wed, 23 Oct 2002 00:35:27 +0200, tu as dit : > OK but if I set the policy OUTPUT at DROP which ports/prot I have to set > al ACCEPT? > This's my problem. every dport/protocol you want to allow to be scanned... You cannot filter much OUTPUT if you want to allow nmap. You can use the -m owner with --cmd-owner if it's avaible on your computer to allow "mmap" initiated connections. But... what do you want to do by filtering OUTPUT ? Sure, you can drop INVALID packets, filter floods, stop packets coming from root and so on, but if you want to allow normal internet activity from the box, you have to allow NEW connections on OUTPUT to any host/port... -- Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr GSM : 06.71.47.18.22 (in France) ICQ UIN : 7299959 Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
