Hello everyone, When preventing (nmap) port scans is it better to use the connection-tracking INVALID option or use a set of TCP flag filters or both? Note, by my calculations there are 21 possible combinations of TCP flags, this includes legal and illegal flag combinations. ASIDE: Can stateful filtering using NEW and ESTABLISHED on their own also work, given that connection-tracking is supposed to be tracking connections? For example, allow outbound NEW and ESTABLISHED traffic and allow inbound traffic recognised as ESTABLISHED. Would these stateful operations prevent nmap scanning? I saw a few examples where the stateless tcp syn flag match was used (by checking that no other flag was set) in conjunction with the NEW operator. For example, iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # using the not (!) operator Why is this the case? I would have imagined that the NEW operator, would require by default that only a syn flag be present. Unless the NEW operator does not check by default that no other flag is enabled in conjunction with the syn flag. Would this be the case? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
