Greetings! On Tue, 2003-12-02 at 11:26, Thomas Preissler wrote: > > I mean, that it looks like that the computer with the ip x is not > reachable as the same as it is, when you address an ip that > addresses no computer, i.e. is an unused ip. Then using a "drop" is not quite the same. Let's say you have no firewall and someone sends a packet to an unused IP: packet is received by your edge router router realizes the target IP is local off of one interface router sends 3 ARP requests for the IP When no ARP reply is received, router gives up and returns a host unreachable to the source IP Again, nmap expects the above which is why it reports "filtered" when it hits your drop rule. This is why you can mess up its results by returning host unreachables. > Background: I am just experimenting and this was an interesting > issue for me. I want to setup a whole net with UML boxes and hide > the physical computer. UML does this quite nicely. I was part of the crew that started Dartmouth's security institute, as well as one of the original members of the honeynet. In both groups we used UML extensively in the setup you mention above. check: http://www.ists.dartmouth.edu They probably still have some papers up there written by Bill Stearns and myself on the subject. HTH, C
