Date: Fri, 13 May 2005 11:15:15 +0200 From: Jeremie Le Hen <jeremie@le-hen.org> To: Anton Butsyk <anton@abutsyk.sumy.ua> Cc: freebsd-ipfw@freebsd.org Subject: Re: syn scan Message-ID: <20050513091515.GC667@obiwan.tataz.chchile.org> In-Reply-To: <00a901c556e3$766ae8d0$0100030a@admin> References: <00a901c556e3$766ae8d0$0100030a@admin>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Anton, > Dear all, > > Is it possible to detect and/or disable nmap SYN scan with ipfw? > I've added rule follow below, it catchs some packets from nmap but not all > > deny tcp from any to me dst-port 22,25,53,80,443 \ > tcpflags syn,!fin,!ack,!psh,!rst,!urg\ > tcpoptions mss,window,!sack,ts,!cc nmap SYN scan don't use TCP options at all IIRC. MSS and TS are very common these days, so I guess you could drop TCP SYN packets which don't have one of those. Be warned nevertheless that some older systems might not be able to establish a connection anymore. I think the correct way to do this is indeed using an IDS. Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050513091515.GC667>