[PEN-TEST] Undetectible NMAP scans

[Steve Cody <SCody () GULBRANDSEN COM>]

I was recently testing one of my firewalls using nmap.  I used an option
that I don't use much, the -sX (XMAS scan).  I noticed that my ipchains
based (Redhat 6.2) firewall did not make a single log entry during the
entire scan.  Also, the system that I scanned from was able to identify all
of the services listening on my system, more importantly, it detected the
listening, but blocked, ports.  For example, I have port 110 blocked.
However, on my internal home network, I connect to it for my POP3 mail.  The
scan was able to determine that port 110 is listening, even though that
system cannot connect to it.

The thing that disturbs me is that I was able to do a scan of my system and
have it not be detected at all.  All previous, and subsequent scans from
that same host, if I did not use the -sX option in NMAP, create many entries
in my log.

Does anyone know what I can do with ipchains to make it more sensitive to
this type of scan?  I have since installed Port Sentry, so that scan is
picked up by it, but still, I don't run Port Sentry on all of my systems for
various reasons.

Any ideas?

Steve Cody