Hi,
> > I recently thought about the following. If a port is > closed the host > > refuses the connection. What does the host exactly > response? > > It sends a reset. Correct if I'm wrong, but the host would respond with FIN, ACK. Client sync--> host client <--sync,ack host cllent ack---> host (if host port is closed ) client <---fin,ack host client ack---> host client rst---> host > > > Is it necessary that the host responses on a closed > port (couldn't that be > > managed in some way with timeouts)? > > If the host is alive it sends back a reset so that you > don't have to wait > for the timeout, otherwise the application would be > stalled waiting for the > timeout. > > > Could you suggest a way to make ipchains act like a > port was closed when > > filtering it, so that a portscanner from certain > machines wouldn't notice > > the firewall? > > Use '-j REJECT' instead of '-j DROP'. > > For more info on this subject you can see my paper > "Firewall rule exposure > on ACK based filters" (http://www.bhodisoft.com/Sec/ba-2001-02.html) > but > your best bet is one of Fyodor's papers on how nmap > (http://www.insecure.org/nmap/) works. > > -G_E > > "Security of information is an illusion. What is in one's mind gets into the collective consciousness (akasha), so that can be read with meditation ;-) You don't have to hack. Just 'remember'! You're the one."
