syn scan
Jeremie Le Hen
jeremie at le-hen.org
Fri May 13 02:15:16 PDT 2005
Hi Anton,
> Dear all,
>
> Is it possible to detect and/or disable nmap SYN scan with ipfw?
> I've added rule follow below, it catchs some packets from nmap but not all
>
> deny tcp from any to me dst-port 22,25,53,80,443 \
> tcpflags syn,!fin,!ack,!psh,!rst,!urg\
> tcpoptions mss,window,!sack,ts,!cc
nmap SYN scan don't use TCP options at all IIRC. MSS and TS are very
common these days, so I guess you could drop TCP SYN packets which don't
have one of those. Be warned nevertheless that some older systems
might not be able to establish a connection anymore.
I think the correct way to do this is indeed using an IDS.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-ipfw
mailing list