I have seen these rules used to detect a port scan: iptables -A INPUT -i $INTERFACE --proto tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG --log-prefix "PORT SCAN: " --log-level 6 iptables -A INPUT -i $INTERFACE --proto tcp --tcp-flags SYN,ACK,FIN,RST RST -j DROP It seems to me that this is a legitimate TCP flag combination, unless I'm reading the rule wrong. When I add them to the top of my ruleset with other invalid TCP Flag rules, the above two rules seem to fire fairly frequently. What about this rule detects a port scan? I have a rule that accepts established and related states. The rules seem to fire mostly on legitimate ldap connections. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
