Ni Brian, Nor should you. Blocking addresses that scan you is like shooting at cars that drive past your home and look at your windows and front door. :-) Be aware of the attempt, but you'll end up making a critical error sooner or later if you block addresses without putting some intelligence behind the block. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 1:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org I simply don't have time to add a new filter for each and every ip address that scans the firewall. Perhaps if it would allow you to create a list of them you could update...but creating a single packet filter for every scan ive gotten would take me hours. -----Original Message----- From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 2:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Personally, I figure that a port scan on my site is someone up to no good, and I ban the IP address (inbound). If the IP address if resolvable and I can contact the owner, I will attempt to do so. If the owner takes appropriate action (to my liking), I remove the packet filter. Lately I seem to be getting a couple of scans per week. Perhaps I should ban all incoming traffic! :-) :-) :-) Mark