mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-07 05:05:12 +02:00
28 lines
1.3 KiB
Groff
28 lines
1.3 KiB
Groff
Detects simple port scan attemps based upon the packet's contents. (This is
|
|
different from other implementations, which also try to match the rate of new
|
|
connections.) Note that an attempt is only discovered after it has been carried
|
|
out, but this information can be used in conjunction with other rules to block
|
|
the remote host's future connections. So this match module will match on the
|
|
(probably) last packet the remote side will send to your machine.
|
|
.TP
|
|
\fB--stealth\fR
|
|
Match if the packet did not belong to any known TCP connection
|
|
(Stealth/FIN/XMAS/NULL scan).
|
|
.TP
|
|
\fB--synscan\fR
|
|
Match if the connection was a TCP half-open discovery (SYN scan), i.e. the
|
|
connection was torn down after the 2nd packet in the 3-way handshake.
|
|
.TP
|
|
\fB--cnscan\fR
|
|
Match if the connection was a TCP full open discovery (connect scan), i.e. the
|
|
connection was torn down after completion of the 3-way handshake.
|
|
.TP
|
|
\fB--grscan\fR
|
|
Match if data in the connection only flew in the direction of the remote side,
|
|
e.g. if the connection was terminated after a locally running daemon sent its
|
|
identification. (e.g. openssh)
|
|
.PP
|
|
NOTE: Some clients (Windows XP for example) may do what looks like a SYN scan,
|
|
so be advised to carefully use xt_portscan in conjunction with blocking rules,
|
|
as it may lock out your very own internal network.
|