curby . schrieb: [SNIP] > Here are some rules I've used when testing out ways to catch nmap > scans. If anyone knows what the SYN,RST SYN,RST match is for, please > let me know. > [SNIP] > # Misc scan - everyone tests for this, but what scan does it match? > $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j > DROP || die 05 87 > "--tcp-flags SYN,RST SYN,RST" means "watch TCP flags SYN and RST and match if out of the watched flags SYN and RST are set". Ok you knew that already :) According to RFC793 sending a SYN means "hey guy, I wanna talk to to you, let's SYNchronize our sequence numbers". The only flag that is allowed to be sent along with a SYN is ACK, and this only in the 2nd packet of the 3-way-handshake. Sending RST means "oohps, there's something wrong, ReSeT the connection". So, sending SYN in conjunction with RST means, that a connection shall be opened and aborted at the same time. This is 1.) A violation of RFC793 2.) Absolutely senseless in terms of a real connection Thus, chances are good that someone is scanning you. Hum, cold coffee too. nmap doesn't generate this scan, and in fact I don't know which scanner does. But it is possible to generate these packet with packet injection tools like nemesis. So it is possible that these packets come to your firewall (although they shouldn't) and you don't want them to pass. That's why I probe for this. Have a nice time, Joerg
