On Wednesday 05 November 2003 2:14 pm, Leandro Takashi Hirano wrote:
> How does this rule work?
>
> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit ?limit
> 1/s -j ACCEPT
It means that any packets which have the RST flag set, and the SYN, ACK, FIN
flags cleared, will only be allowed *through* the firewall at a maximum rate
of one packet per second.
> Is it safe to use only this rule to avoid port scanners?
Depends what you mean by "safe" and "avoid" :)
Here are some observations on the above rule:
1. It is in the FORWARD chain, therefore it has no effect on people port
scanning the firewall itself (it would need to be in the INPUT chain to
affect that).
2. One packet per second will be ACCEPTed. What happens to the other
packets (and whether anything gets returned to the scanner) depends on the
other rules following this one in the chain.
3. The rule only applies to packets with RST set, and SYN, ACK, FIN clear.
Therefore it will incfluence the outcome of a RST port scan, but have no
effect on a FIN scan, or a SYN scan.
I think in order to answer your question we first need to know:
- what response do you want someone to get when they attempt to port scan
your system?
Regards,
Antony.
--
"It is not the strongest of the species that survive, nor the most
intelligent, but the ones most responsive to change."
- Charles Darwin
Please reply to the list;
please don't CC me.
