
The following firewall rulesets are examples of rulesets that are compatible
with psad.  Basically, the only criteria is have the firewall log and
drop/deny/reject packets that should not be allowed through.  Then a port scan
will manifest itself within /var/log/messages as packets are dropped and
logged, at which time these messages will be written to the
/var/lib/psad/psadfifo named pipe and analyzed by psad.


### iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
ACCEPT     tcp  --  129.xx.xx.xx         64.44.21.15        tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  208.xx.xx.xx         64.44.21.15        tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  24.xx.xx.xx          64.44.21.15        tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  208.xx.xx.xx         64.44.21.15        tcp dpt:22 flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  0.0.0.0/0            64.44.21.15        tcp dpt:25 flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  0.0.0.0/0            64.44.21.15        tcp dpt:80 flags:SYN,RST,ACK/SYN
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG level warning prefix `DROP '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG level warning prefix `DROP '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
