sangbsy wrote: > Ports) >> Err.. if they are "stealth" then how will anything connect to them? >> I'm assuming that you have DNAT'd them so that machines outside > your firewall can actually access >> the services. Correct? >>
> > Hi Brad, > Yes ,Brad thats right. > Thanks . Short answer is "You can't!". The only way to "stealth" a port (as Steve Gibson likes to call it) is simply to drop all incoming packets on the floor. No response of any kind. The problem with this is it's simply mutually incompatible with allowing a client to connect to/via that port. You can -j DROP all the other ports, or set DROP as a default rule, but anyone poking at any of the ports you have dnat'ed needs to be able to get something back. Hit my box at home and you will get 22,81,113,2000->2020. The rest are all configured to drop any inbound packet. But to those other ports, they are wide open. Brad -- "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so." -- Douglas Adams
