>>>> >>>> what we want is for the firewall to be imune to invalid packets >>>> generated by >>>> these kinds of scans, yes? to not give out port information when >>>> hits with >>> hi i'm using an alternate method to be a bit immune to these scans, i've found it about a year ago googling ;) it isn't matches on syn/other flags, it requires that the packet must hava the 2 tcp option ;) and it's working fine, all operating systems are sending they mtu in the syn packet only $ipt -p tcp --tcp-option ! 2 -j DROP #REJECT --reject-with tcp-reset kirk
