Hi > Dear all, > can you tell me how to block SYN&FIN portscans. both SYN&FIN flags set: iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j <your action>
<action can be: DROP, REJECT, REJECT --reject-with tcp-reset> it depends and the tool used. My version of nmap, does not support SYNFIN scan but knowing the implementation of nmap's guessing algotrytm, i would reply with tcp-reset. if use where to user hping on a machine, i would use DROP. But that does not really matter, because if someone where to portscan, say 100 ports, from: 20 to 120 he would get all closed, or all open, depeneding on the <action>, so that does not really give any information. Note that dropping SYNFIN is incompliant with some services, i do not remember which, sorry. to block FIN scans use: iptables -A INPUT -p tcp -m state --state NEW --tcp-flags FIN, FIN -j REJECT --reject-with tcp-reset to block SYN scans use: iptables -A INPUT -m psd -j <action> note that in some cases you might want to adjust psd options, do a: iptables -m psd --help The rules you send had been cut of by demime i suppose and they did not get through to the list. Have a great day, Maciej Soltysiak
