On 2001.09.06 19:24:38 +0100 Anders Johansson wrote:
well, when i do a port scan and have DENY in the firwall rules, i get
On Thursday 06 September 2001 19.54, dog@intop.net wrote: the
message that the port is in a filtered state. maybe this is just my thinking, but if its filtered, then there must be a daemon listening on that port. why would i filter access to the port if there is nothing listening on that port. so i use REJECT so that the port does not even
Maybe this is "smart" portscanners assuming that no reply means there is a firewall in the way filtering packets - after all, why portscan a non-existant host? Whereas the unreachable icmp could be interpreted by the same scanner as non-existant - as would be the case if there is no machine at that IP address. <SNIP>
I don't think it's possible for a scanner to tell the difference between a blanket DENY rule, and a port that has a rule like src ip != some.allowed.machine.com, so the use of the word 'filtered' here is I believe a bit wrong. The words 'open' and 'closed' here also doesn't reflect the way TCP/IP ports work, IMHO
FWIW, I agree that portscanners can't tell how or why a firewall DENYs packets, only that they *are* DENYed (or not :-) )! As for the terminology - perhaps ports are "[not-] blocked" or "[un-]available", but since iptables is part of the netfilter project, "filter" my not be too bad a description of what happens. Just 2c worth Maf. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~