Yes...so if you want your ports to appear as closed, you could use the target
... -j REJECT --reject-with type The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited. Edu GV On Fri, 28 Jan 2005 09:48:53 +0100, Dobersberger Dieter <dieter.dobersberger_at_trench.at> wrote: > > when i enter iptables -P INPUT DROP normally all ports should > > be closed. > > but a portscan from http://www.sns.co.at/german/tools.htm > > tells me that > > all tcp ports are stealth, icmp is closed and all scanned upd > > ports are > > open. > > Because UDP is a stateless protocol an UDP scan can not be 100% > accurate, because you can never know if your packet was received. You > can only know if it was rejected, because you get an ICMP > destination-unreachable packet back in that case. But if the packet was > droped by a firewall some portscanners assume it was received by the > destination host, because there is no negative answer. > > So I would guess the scanner you are using is reporting the wrong ports > as open. > > You should verify your results with an external host running nmap to be > sure. > > best regards, > Dieter > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
