Re: nmap protection rules

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Brenton <cbrenton@chrisbrenton.org>
To: jagrelo@novadevices.com
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: nmap protection rules
Date: Thu, 30 Dec 2004 07:18:28 -0500	[thread overview]
Message-ID: <1104409107.2011.119.camel@grendel> (raw)
In-Reply-To: <41D2F4DE.11586.29F761B5@localhost>

On Wed, 2004-12-29 at 18:18, Jorge Agrelo wrote:
> Does anyone can help me to write iptables rules to?:
> 
> * block IP protocol scans (nmap -sO)

When performing a protocol scan, nmap sends an IP packet with no
transport header. So for example to check for AH support, byte 9 in the
IP header is set to "51" but no AH header is included in the packet. The
concept is a system which supports AH will ignore the packet and not
respond. A system that does not support AH will return an ICMP type 3
code 2 (protocol unreachable).

So, provided your iptables default policy is "deny all", you should be
fine.

> * block UDP scans (nmap -sU)

nmap spews out packets to multiple UDP ports. This time it looks for
returning ICMP type 3 code 3 (port unreachable) packets to indicate
which ports are closed. Posts that do not respond are flagged as open.
Again, your best bet is a default "deny all" rule.

> * block identification via TCP/IP fingerprinting (nmap -O)

nmap needs access to one open TCP port, and both a closed TCP and UDP
port to perform a fingerprint attempt. Do not permit access to closed
ports on your system and you should be fine. Again, the default "deny
all" rule is your friend. Only let though the services you plan to
support.

HTH,
Chris

next prev parent reply	other threads:[~2004-12-30 12:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-12-29 23:18 nmap protection rules Jorge Agrelo
2004-12-30 12:18 ` Chris Brenton [this message]
2005-01-01 22:08   ` Jose Maria Lopez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1104409107.2011.119.camel@grendel \
    --to=cbrenton@chrisbrenton.org \
    --cc=jagrelo@novadevices.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.