> Actually, a null scan should be generating INVALID packets, and if one
Does it really? What if there happens to be a null-flags/xmas-flags tcp packet
in an otherwise well-behaved tcp connection? I'd guess it would match
ESTABLISHED, even if it has got null flags.
> turns on those detections and rejections within the kernel, as well as
> perhaps adding a rule or two to DROP INVALID packets they should be
> covered, should they not? And thus with far less resource over head as
> extensive rules in their ruleset?
That depends on what you want.
The full fun (shortened here) currently present in AS_IPFW is:
(base is iptables -P INPUT DROP)
iptables -A scanchk -j REJECT --reject-with host-unreach -m random \
--average 20;
iptables -A INPUT -g scanchk -p tcp ! --syn -m state --state INVALID;
iptables -A INPUT -j TARPIT -p tcp;
iptables -A INPUT -j REJECT --reject-with net-unreach -m random \
--average 10;
Of course you can all DROP that, but I like to actively hinder unwanted
senders, and so, the implementation of this hindering requires REJECT.
Jan Engelhardt
--
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de
