> On Wednesday 05 November 2003 2:14 pm, Leandro Takashi Hirano wrote: > >> How does this rule work? >> >> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit >> ?limit 1/s -j ACCEPT > > It means that any packets which have the RST flag set, and the SYN, ACK, > FIN flags cleared, will only be allowed *through* the firewall at a > maximum rate of one packet per second. > >> Is it safe to use only this rule to avoid port scanners? > > Depends what you mean by "safe" and "avoid" :) > > Here are some observations on the above rule: > > 1. It is in the FORWARD chain, therefore it has no effect on people port > scanning the firewall itself (it would need to be in the INPUT chain to > affect that). > > 2. One packet per second will be ACCEPTed. What happens to the other > packets (and whether anything gets returned to the scanner) depends on > the other rules following this one in the chain. OK, one packet per second will be ACCEPTed, but aren´t the other packets going to be DROPed? > > 3. The rule only applies to packets with RST set, and SYN, ACK, FIN > clear. Therefore it will incfluence the outcome of a RST port scan, > but have no effect on a FIN scan, or a SYN scan. > Do I have also to create a rule for FIN scan and SYN scan? Do you have some port scanners rules to show me? (and other protection rules too) And thanks very much for the help!!! > I think in order to answer your question we first need to know: > > - what response do you want someone to get when they attempt to port > scan > your system? > no answer.... > Regards, > > Antony. > > > -- > > "It is not the strongest of the species that survive, nor the most > intelligent, but the ones most responsive to change." > > - Charles Darwin > Please reply to the > list; > please don't > CC me.
