On Thu, Feb 4, 2010 at 6:41 AM, paddy joesoap <paddyjoesoap@xxxxxxxxx> wrote: > Hi all, > > Does the INVALID state filter prevent port (nmap) scans? > > That is, would the following stateful rule: > > iptables -A INPUT -m state --state INVALID -j DROP > > do the same job as the following stateless rules? > > iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP > iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP > iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP > iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP > iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP > iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP > etc etc. > Did this guy ever get an answer? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
