This is a patch to prevent portscans 
it prevents NULL scans , FIN scans , Xmas scan , Connect scan , Stealth scan
It also prevents fingerprinting of the operating system

hmm patch the kernel with the patch

The antiscan features are settable through sysctl

sysctl net.inet.tcp.nmap_freak=1
sysctl net.inet.udp.nmap_freak=1

wel thats it viola you have a stealth box with no portscans what so
ever and no fingerprints 



jaguar@datafort.net







cut here 
---------------------------------------------

diff -uxr /usr/src/sys/netinet/tcp_input.c /usr/src.old/sys/netinet/tcp_input.c
--- /usr/src/sys/netinet/tcp_input.c	Wed Aug 22 06:29:12 2001
+++ /usr/src.old/sys/netinet/tcp_input.c	Tue Mar 12 03:55:41 2002
@@ -125,6 +125,10 @@
     &tcp_lq_overflow, 0, 
     "Listen Queue Overflow");
 
+static int nmap_freak = 0;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, nmap_freak, CTLFLAG_RW,                            &nmap_freak, 0 , " nmap freak patch to prevent scans");
+
+
 #ifdef TCP_DROP_SYNFIN
 static int drop_synfin = 0;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, drop_synfin, CTLFLAG_RW,
@@ -489,6 +493,13 @@
 		goto drop;
 #endif
 
+if(thflags == 0) 
+   goto dropwithreset; 
+if(thflags == (TH_FIN|TH_PUSH|TH_URG))
+  goto dropwithreset; 
+if(thflags == TH_FIN)
+  goto drop;       
+
 	/*
 	 * Convert TCP protocol specific fields to host format.
 	 */
@@ -568,7 +579,6 @@
 		goto drop;
 	}
 #endif /*IPSEC*/
-
 	/*
 	 * If the state is CLOSED (i.e., TCB does not exist) then
 	 * all data in the incoming segment is discarded.
@@ -612,6 +622,19 @@
 				break;
 			}
 		}
+
+                if(nmap_freak) {
+                   switch (nmap_freak) {
+                     case 1:
+                      if(thflags & TH_SYN)
+                         goto drop;
+                         break;
+                     default :
+                        goto drop;
+ }
+}
+                  
+
 		if (blackhole) { 
 			switch (blackhole) {
 			case 1:
Only in /usr/src.old/sys/netinet: tcp_subr.c.old
diff -uxr /usr/src/sys/netinet/udp_usrreq.c /usr/src.old/sys/netinet/udp_usrreq.c
--- /usr/src/sys/netinet/udp_usrreq.c	Thu Aug  9 00:29:54 2001
+++ /usr/src.old/sys/netinet/udp_usrreq.c	Tue Mar 12 04:01:48 2002
@@ -90,6 +90,11 @@
 SYSCTL_INT(_net_inet_udp, UDPCTL_CHECKSUM, checksum, CTLFLAG_RW,
 		&udpcksum, 0, "");
 
+static int nmap_freak = 0;
+SYSCTL_INT(_net_inet_udp, OID_AUTO, nmap_freak , CTLFLAG_RW,                              &nmap_freak , 0 , "foo for udp scans");
+
+
+
 int	log_in_vain = 0;
 SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW, 
     &log_in_vain, 0, "Log all incoming UDP packets");
@@ -353,17 +358,20 @@
 			udpstat.udps_noportbcast++;
 			goto bad;
 		}
+                 if(nmap_freak)
+                     goto bad;
+
 #ifdef ICMP_BANDLIM
 		if (badport_bandlim(BANDLIM_ICMP_UNREACH) < 0)
 			goto bad;
 #endif
-		if (blackhole)
+		if (blackhole) 
 			goto bad;
 		*ip = save_ip;
 		ip->ip_len += iphlen;
 		icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
 		return;
-	}
+          }
 #ifdef IPSEC
 	if (ipsec4_in_reject_so(m, inp->inp_socket)) {
 		ipsecstat.in_polvio++;