Re: how nmap can know my firewalled servers ?

["Alexey Eremenko" <al4321 () gmail com>]

> I am assuming you are using a DROP rule on your firewall.  NMAP knows
> that if it does not receive a response for a TCP connection then it is
> firewalled.  Dropping traffic at a firewall violates RFC and makes it
> much easier to know when there is a firewall between the scanner and the
> end host.  I recommend using REJECT
>
> -A INPUT -j REJECT --reject-with icmp-host-unreachable
>
> That will conform to RFC (I'm pretty sure) and will make it harder to
> detect a firewall with NMAP.

True, I am using DROP state on my iptables, but even when I changed
the state of my firewall to "REJECT --reject-with
icmp-host-unreachable" - nmap _still_ knows that my services are
running (telnet) and are filtered !

linux:/ # iptables -A INPUT -p tcp --dport 23 -j REJECT --reject-with
icmp-host-unreachable
linux:/ # nmap  localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-04-13 12:59 GMT+2
Interesting ports on localhost (127.0.0.1):
(The 1648 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
22/tcp    open     ssh
23/tcp    filtered telnet
...

linux:/ # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            tcp
dpt:telnet reject-with icmp-host-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


So how do I fool nmap that my service is really down ?