> However, if the packets are caught by "Drop" rule, the packets are
> also logged, but they pass through FW-1 to the destination (verified
> by sniffer) and the replies do pass back, so nmap detects the
> listening ports. The packets are logged as dropped.
I believe this is considered a "feature". Check if the data of the
original packet was passed through or if it is just the header.
I believe the reason for this is to allow sessions interrupted by an
installation of the policy to not be terminated when the state table is
cleared. However, I believe that only packets that would possibly be
allowed by a reverse rule will see such behaviour.
There was a message a couple of months ago to this list that made
the same discovery.
il Phone: +972-2-6795860 --Standard Disclaimer--
Fight Internet Spam! http://www.vix.com/spam/ (PGP key available)
Description: PGP signature