> However there are so many sanity checkings in unclean that it's not so > easy to design an intuitive and handy interface. i will look into it, i have seen tons of checks, maybe it is possible to divise a strategy.
> > 1. match ip unused and log or drop > > 2. match some scans using --tcp-flags and reject with tcp-reset > > 3. match tcp scans using psd and reject with tcp-reset > > 4. match udp scans using psd and reject with icmp > > 5. match using unclean for anything else: bad chksum, bad frag offset, > > etc > > If you simply drop at 5. then it could be replaced with the new unclean > match used at 1. No, unclean will match what's in 2. XMAS, NULL, etc. But i will add this to unclean and send a patch soon. Maciek
