On Mon, Mar 16, 2009 at 3:29 PM, James G. Sack (jim) <jgs...@san.rr.com> wrote: > Brad Beyenhof wrote: >> Steve Gibson recommends setting all your ports the same (either open, >> closed, or filtered). His reasoning is that ports set differently than >> the others are just alerting potential attackers about what's actually >> running on your machine. > > Would it be correct to say that "filtered" translates to a DENY rule in > the firewall, and maybe closed translates to a REJECT? > > Or is there more to it?
"Filtered" is returned by nmap whether the packet was DEN[I]ed or REJECTed. However, since DENY actually gives a response, nmap jumps right to the next port, while a REJECT rule returns nothing and nmap waits for a pre-defined timeout before moving on. A machine that's fully "stealthed" (i.e. REJECTing on all ports) takes the longest for nmap to scan, even though it returns nothing. This is just for TCP, though. UDP functions slightly differently, in that an unknown packet sent to a listening UDP socket usually gets dropped if it can't be identified by the service. For programs like nmap, this makes unfiltered yet open UDP ports look a lot like filtered UDP ports. Unless you specifically ask it to, nmap only scans TCP. In addition, nmap by default will not scan an IP/hostname that doesn't return a ping. If you know there's a machine where you're looking, you can force it to scan ports anyway with the option "-PN" (no ping). This used to be -P0 (zero), but it was changed to avoid confusion with the -PO (oh) option. -- Brad Beyenhof . . . . . . . . . . . . . . . . . http://augmentedfourth.com Life would be so much easier if only (3/2)^12=(2/1)^7. -- KPLUG-Newbie@kernel-panic.org http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-newbie