--- In [email protected], Brad Campbell <[EMAIL PROTECTED]> wrote: > > sangbsy wrote: > > Ports) > >> Err.. if they are "stealth" then how will anything connect to them? > >> I'm assuming that you have DNAT'd them so that machines outside > > your firewall can actually access > >> the services. Correct? > >> > > > > > Hi Brad, > > Yes ,Brad thats right. > > Thanks . > > Short answer is "You can't!". > > The only way to "stealth" a port (as Steve Gibson likes to call it) is simply to drop all incoming > packets on the floor. No response of any kind. The problem with this is it's simply mutually > incompatible with allowing a client to connect to/via that port. > > You can -j DROP all the other ports, or set DROP as a default rule, but anyone poking at any of the > ports you have dnat'ed needs to be able to get something back. > > Hit my box at home and you will get 22,81,113,2000->2020. The rest are all configured to drop any > inbound packet. But to those other ports, they are wide open. > > Brad > -- > "Human beings, who are almost unique in having the ability > to learn from the experience of others, are also remarkable > for their apparent disinclination to do so." -- Douglas Adams > Hi Brad,
Is it possible to Drop dissimilar packets continuously coming from a particular IP or connection to the firewall ?; In a situations like somebody tries port scans etc.
