On Mon, Mar 16, 2009 at 3:29 PM, James G. Sack (jim) <jgs...@san.rr.com> wrote:
> Brad Beyenhof wrote:
>> Steve Gibson recommends setting all your ports the same (either open,
>> closed, or filtered). His reasoning is that ports set differently than
>> the others are just alerting potential attackers about what's actually
>> running on your machine.
>
> Would it be correct to say that "filtered" translates to a DENY rule in
> the firewall, and maybe closed translates to a REJECT?
>
> Or is there more to it?

"Filtered" is returned by nmap whether the packet was DEN[I]ed or
REJECTed. However, since DENY actually gives a response, nmap jumps
right to the next port, while a REJECT rule returns nothing and nmap
waits for a pre-defined timeout before moving on. A machine that's
fully "stealthed" (i.e. REJECTing on all ports) takes the longest for
nmap to scan, even though it returns nothing.

This is just for TCP, though. UDP functions slightly differently, in
that an unknown packet sent to a listening UDP socket usually gets
dropped if it can't be identified by the service. For programs like
nmap, this makes unfiltered yet open UDP ports look a lot like
filtered UDP ports. Unless you specifically ask it to, nmap only scans
TCP.

In addition, nmap by default will not scan an IP/hostname that doesn't
return a ping. If you know there's a machine where you're looking, you
can force it to scan ports anyway with the option "-PN" (no ping).
This used to be -P0 (zero), but it was changed to avoid confusion with
the -PO (oh) option.

-- 
Brad Beyenhof . . . . . . . . . . . . . . . . . http://augmentedfourth.com
Life would be so much easier if only (3/2)^12=(2/1)^7.

-- 
KPLUG-Newbie@kernel-panic.org
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie

Reply via email to