How about this as a possible solution: in your OUTPUT chain and in FORWARD -o $EXTERNAL_INT, have a rule something like (with the recent patch compiled in):
$IPT -A OUTPUT -m state --state NEW -m recent --name validconn --set $IPT -A FORWARD -m state --state NEW -o $EXTERNAL_INT -m recent --name validconn --set and then: $IPT -A INPUT -m recent --name validconn -rcheck --seconds 20 -p tcp --dport 113 -j REJECT --reject-with tcp-reset and let everything else fall through to a default DROP rule. This way you will only send tcp resets for ident lookups if you have made a connection to the source of the ident lookup in the last 20 seconds. Otherwise (for general nmappers out there), everything gets dropped. Add this to some -m psd magic and some other judicious use of the recent patch, and you should be able to have a firewall that denies all evidence that you exist. -Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Antony Stone > Sent: Friday, June 14, 2002 5:19 AM > To: [EMAIL PROTECTED] > Subject: Re: TCP delay, solved > > > On Friday 14 June 2002 9:25 am, David Luyer wrote: > > > > Easy solution: > > > > > > deny (connection reset) rather than drop the connections > > > > I meant reject. From the man page: > > > > Why connection reset? For idiots at the other end who firewall all > > ICMP. > > Same problem. Leaves me with a port on my Firewall which > responds to nmap > etc. All other ports on my Firewall return nothing, so the machine is > invisible - I don't want port 113 standing out by doing something > different. > > > > Antony. > > >
