In article <[EMAIL PROTECTED]>,
Geoff Rehmet <[EMAIL PROTECTED]> wrote:
> >
> > Plus, packets with RST in them are used for other purposes besides
> > rejecting new incoming connections..
>
> True, my implementation is specific that I only omit generating
> a RST when the icoming segment is a SYN. All other instances
> where you would generate a RST are left alone, and carry on
> behaving as before - otherwise you might break TCP behaviour.
I like the idea. However, something a _little_ more sophisticated
would be nice. The policy you describe above wouldn't work against
stealth probes. From the nmap man page:
-sF -sX -sN
Stealth FIN, Xmas Tree, or Null scan modes: There
are times when even SYN scanning isn't clandestine
enough. Some firewalls and packet filters watch for
SYNs to restricted ports, and programs like Synlog-
ger and Courtney are available to detect these
scans. These advanced scans, on the other hand, may
be able to pass through unmolested.
The idea is that closed ports are required to reply
to your probe packet with an RST, while open ports
must ignore the packets in question (see RFC 794 pp
64). The FIN scan uses a bare (surprise) FIN
packet as the probe, while the Xmas tree scan turns
on the FIN, URG, and PUSH flags. The Null scan
turns off all flags.
John
--
John Polstra [EMAIL PROTECTED]
John D. Polstra & Co., Inc. Seattle, Washington USA
"No matter how cynical I get, I just can't keep up." -- Nora Ephron
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
