On Wed, 2004-06-09 at 12:37, Rakotomandimby Mihamina wrote: > John A. Sullivan III wrote: > > Hope this helps - John > > it does ! > but : > > if i 'tail -f' my web server access log and the iptables log, I notice > those "port_scan" are done when visitors are visiting my site : same > time, same IP. I dont think each visitor would want to hack me. > > My conclusion is my rule is not very good, as well as the logged packet > is dropped, it would decrease accuracy of the website. What should i do > to make it better ? I still want to keep port scan prevention, but want > to avoid dropping non-offending packets ... but if you think the website > accuracy wouldnt be down for that reason, i will keep it as it is ... Hmmm . . . I assume what you are trying to do is pick up all packets with the RST flag on that are not part of a current session, such as those used to probe a site. I'm a little rusty on when RSTs are sent. If they are part of the packet stream, then I would think conntrack will pick it up and the legitimate RSTs would never hit your rule. I assume you are using conntrack. However, are RSTs sent when a stream is broken and thus sent as a separate data stream? I'd have to pull out an IP book to review the RST flag and why it would not be matched in conntrack. Does anyone else know off the top of their head? -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx