IPTables vs IPFilter

Oskar Andreasson blueflux@koffein.net
Mon, 20 Aug 2001 10:42:22 +0200 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Austin,

I've seen this problem before, but never gotten around to find a solution for 
the problem. However, I think it has to do with the fact that when you DROP a 
packet you don't send anything back(nmap don't get a reply for that port). If 
it gets a few ACCEPT's and a few DROP's it figures out that "this host is 
blocking certain ports since it won't reply to those ports but answers to 
that port, hence the host must be filtered". If we would send an ICMP reply, 
but it is the wrong sort of reply, ie send a HOST_UNREACHABLE ICMP when it 
sends a packet to a REJECT'ed port nmap would still figure out that it's 
filtered. If we instead send the right kind of answer, ie PORT_UNREACHABLE 
ICMP reply, it might stop nmap from figuring the problem out. You'd need to 
read up a bit on the different ICMP packets that you might generate and in 
what kind of circumstances they may be used in a reply. I've provided an 
updated list on all the ICMP packets that is available since a couple of days 
back in the tutorial if you want to take a look at it, also there is a link 
to a site that contains a little bit more information about ICMP packets.

Hope this helps some, since I'm a bit uncertain if this really is the case, 
I'm also sending this to the netfilter mailing list to see if they can shed 
some light on the subject.

- -- 
Oskar Andreasson
Multisoft Education AB
Cell: +46-736-524228

On Monday 20 August 2001 12:04 am, Austin Gonyou wrote:
> When using IPTables and nmap my host from a remote host, even though I've
> set drop for specific ports, etc, nmap will still report that the port
> I've set as drop or reject, is still reported as filtered. Yet when using
> ipfilter on bsd or on a 2.2.x kernel, rejecting or dropping a port does
> just that. The port will disappear and nmap won't report it as filtered.
> I've asked a lot of people about this, and I just don't understand what's
> going on there. Any help on this would be wonderful. Thanks in advance.
> Austin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7gM10xO3KTTz2r/kRAnYIAJ4gXVjG2WNO/QUp3O1BlyDsNKEMkACfbdUZ
lRlkFCRr7KT1v3q1VQKo/K0=
=5TyT
-----END PGP SIGNATURE-----