Can be done by ACL denying access to these ports or by shutting down the WAN interface ;-) This is most probably not what you want.
If your PIX refuses to connect to the port the listener of the daemon of DMZ' server will not be reachable anymore from the outside This is due to the nature of tcp and not related to any special firewall.
Uli Link wrote in news:483fd23d$0 $27444$ email@example.com:
I fully agree with you. something needs to respond to requests for a certain port. I was actually hoping that the Pix had some feature that deals with certain characteristics of a portscan. Portscans are recognizeable in general...but maybe not by a pix?
So I know that with IPTABLES you can do things like reject access after certain connection attempts in a specific time frame from the same IP or any other combination you can dream up. I presume that is what you want? I am not sure if the PIX can do this or not.
There are millions of port scans performed on a daily basis. Its much noise.
If I am after your network, a quick gander of the nmap manual page gives me several ways to get around you blocking me. And I probably wouldn't compromise your network from the same netblock I am scanning you from.
I will say that restricting access to ports can back fire on you.
If I want to give you a really bad day, I'll just hijack some CLASS C (and maybe a couple class b) subnets and do a really aggressive NMAP scan from a wide variety of compromised hosts and sit back and smile as your customer support line rings off the hook. :)
I would look at rate limiting and other measures before implementing something like automated port blocking.
If this is a Linux box you can always use portsentry. It may have been ported to other versions of UNIX not sure.