diff -Naurp linux-2.6.25-hardened.orig/include/linux/sysctl.h linux-2.6.25-hardened/include/linux/sysctl.h
--- linux-2.6.25-hardened.orig/include/linux/sysctl.h	2008-06-21 23:47:41.000000000 -0400
+++ linux-2.6.25-hardened/include/linux/sysctl.h	2008-06-22 14:19:44.000000000 -0400
@@ -447,6 +447,11 @@ enum
 	NET_TCP_ALLOWED_CONG_CONTROL=123,
 	NET_TCP_MAX_SSTHRESH=124,
 	NET_TCP_FRTO_RESPONSE=125,
+	NET_IPV4_ICMP_RESTRICT=126,
+	NET_IPV4_TCP_RESTRICT=127,
+	NET_TCP_STACK_SYNFIN=128,
+	NET_TCP_STACK_BOGUS=129,
+	NET_TCP_STACK_ACK=130,
 };
 
 enum {
diff -Naurp linux-2.6.25-hardened.orig/include/net/icmp.h linux-2.6.25-hardened/include/net/icmp.h
--- linux-2.6.25-hardened.orig/include/net/icmp.h	2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25-hardened/include/net/icmp.h	2008-06-22 01:04:15.000000000 -0400
@@ -72,4 +72,9 @@ extern int sysctl_icmp_errors_use_inboun
 extern int sysctl_icmp_ratelimit;
 extern int sysctl_icmp_ratemask;
 
+#ifdef CONFIG_IP_NMAP_FREAK
+extern int sysctl_icmp_restrict;
+extern int sysctl_tcp_restrict;
+#endif
+
 #endif	/* _ICMP_H */
diff -Naurp linux-2.6.25-hardened.orig/kernel/sysctl_check.c linux-2.6.25-hardened/kernel/sysctl_check.c
--- linux-2.6.25-hardened.orig/kernel/sysctl_check.c	2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25-hardened/kernel/sysctl_check.c	2008-06-22 14:19:31.000000000 -0400
@@ -390,6 +390,11 @@ static const struct trans_ctl_table tran
 	{ NET_TCP_MAX_SSTHRESH,			"tcp_max_ssthresh" },
 	{ NET_TCP_FRTO_RESPONSE,		"tcp_frto_response" },
 	{ 2088 /* NET_IPQ_QMAX */,		"ip_queue_maxlen" },
+	{ NET_IPV4_ICMP_RESTRICT,		"icmp_restrict" },
+	{ NET_IPV4_TCP_RESTRICT,		"tcp_restrict" },
+	{ NET_TCP_STACK_SYNFIN,			"tcp_ignore_synfin" },
+	{ NET_TCP_STACK_BOGUS,			"tcp_ignore_bogus" },
+	{ NET_TCP_STACK_ACK,			"tcp_ignore_ack" },
 	{}
 };
 
diff -Naurp linux-2.6.25-hardened.orig/net/ipv4/Kconfig linux-2.6.25-hardened/net/ipv4/Kconfig
--- linux-2.6.25-hardened.orig/net/ipv4/Kconfig	2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25-hardened/net/ipv4/Kconfig	2008-06-22 01:04:16.000000000 -0400
@@ -327,6 +327,44 @@ config SYN_COOKIES
 
 	  If unsure, say N.
 
+config IP_NMAP_FREAK
+        bool "IP: NMAP freak (enabled per default)"
+	depends on INET
+	default n
+	---help---
+	  This is a feature to prevent stealth,fin,rst scans and slows down
+	  the tcp connect scan, it also does not show the Operating System.
+
+	  You can turn this off(0) and on(1) using /proc
+
+	  echo 0 > /proc/sys/net/ipv4/tcp_restrict
+	  echo 0 > /proc/sys/net/ipv4/icmp_restrict
+
+	  If unsure, say N.
+
+config NET_STEALTH
+	bool "IP: TCP stealth options (enabled per default)"
+	depends on INET
+	default n
+	---help---
+	  If you say Y here, note that these options are now enabled by
+	  default; you can disable them by executing the commands
+
+	    echo 0 >/proc/sys/net/ipv4/tcp_ignore_ack
+	    echo 0 >/proc/sys/net/ipv4/tcp_ignore_bogus
+	    echo 0 >/proc/sys/net/ipv4/tcp_ignore_synfin
+
+	  at boot time after the /proc file system has been mounted.
+
+	  If security is more important, say Y.
+
+config NET_STEALTH_LOG
+	bool 'Log all dropped packets'
+	depends on NET_STEALTH
+	---help---
+	  This turns on a logging facility that logs all tcp packets with
+	  bad flags.  If you said Y to "TCP stealth options", say Y too.
+
 config INET_AH
 	tristate "IP: AH transformation"
 	select XFRM
diff -Naurp linux-2.6.25-hardened.orig/net/ipv4/icmp.c linux-2.6.25-hardened/net/ipv4/icmp.c
--- linux-2.6.25-hardened.orig/net/ipv4/icmp.c	2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25-hardened/net/ipv4/icmp.c	2008-06-22 01:04:16.000000000 -0400
@@ -192,6 +192,10 @@ struct icmp_err icmp_err_convert[] = {
 int sysctl_icmp_echo_ignore_all __read_mostly;
 int sysctl_icmp_echo_ignore_broadcasts __read_mostly = 1;
 
+#ifdef CONFIG_IP_NMAP_FREAK
+int sysctl_icmp_restrict = 1;
+#endif
+
 /* Control parameter - ignore bogus broadcast responses? */
 int sysctl_icmp_ignore_bogus_error_responses __read_mostly = 1;
 
@@ -844,7 +848,12 @@ static void icmp_echo(struct sk_buff *sk
 		icmp_param.offset	   = 0;
 		icmp_param.data_len	   = skb->len;
 		icmp_param.head_len	   = sizeof(struct icmphdr);
+#ifdef CONFIG_IP_NMAP_FREAK
+		if (!sysctl_icmp_restrict)
+			icmp_reply(&icmp_param, skb);
+#else
 		icmp_reply(&icmp_param, skb);
+#endif
 	}
 }
 
diff -Naurp linux-2.6.25-hardened.orig/net/ipv4/sysctl_net_ipv4.c linux-2.6.25-hardened/net/ipv4/sysctl_net_ipv4.c
--- linux-2.6.25-hardened.orig/net/ipv4/sysctl_net_ipv4.c	2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25-hardened/net/ipv4/sysctl_net_ipv4.c	2008-06-22 01:05:46.000000000 -0400
@@ -31,6 +31,11 @@ static int ip_local_port_range_max[] = {
 extern seqlock_t sysctl_port_range_lock;
 extern int sysctl_local_port_range[2];
 
+/* stealth stuff */
+extern int sysctl_tcp_ignore_synfin;
+extern int sysctl_tcp_ignore_bogus;
+extern int sysctl_tcp_ignore_ack;
+
 /* Update system visible IP port range */
 static void set_local_port_range(int range[2])
 {
@@ -354,6 +359,25 @@ static struct ctl_table ipv4_table[] = {
 		.proc_handler	= &proc_dointvec
 	},
 #endif
+#ifdef CONFIG_IP_NMAP_FREAK
+		{
+			.ctl_name       = NET_IPV4_ICMP_RESTRICT,
+			.procname       = "icmp_restrict",
+			.data           = &sysctl_icmp_restrict,
+			.maxlen         = sizeof(int),
+			.mode           = 0644,
+			.proc_handler   = &proc_dointvec
+		},
+		{
+			.ctl_name       = NET_IPV4_TCP_RESTRICT,
+			.procname       = "tcp_restrict",
+			.data           = &sysctl_tcp_restrict,
+			.maxlen         = sizeof(int),
+			.mode           = 0644,
+			.proc_handler   = &proc_dointvec
+		},
+#endif
+
 	{
 		.ctl_name	= NET_TCP_TW_RECYCLE,
 		.procname	= "tcp_tw_recycle",
@@ -453,6 +477,32 @@ static struct ctl_table ipv4_table[] = {
 	},
 
 #endif
+#ifdef CONFIG_NET_STEALTH
+	{
+		.ctl_name	= NET_TCP_STACK_SYNFIN,
+		.procname	= "tcp_ignore_synfin",
+		.data		= &sysctl_tcp_ignore_synfin,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec
+	},
+	{
+		.ctl_name	= NET_TCP_STACK_BOGUS,
+		.procname	= "tcp_ignore_bogus",
+		.data		= &sysctl_tcp_ignore_bogus,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec
+	},
+	{
+		.ctl_name	= NET_TCP_STACK_ACK,
+		.procname	= "tcp_ignore_ack",
+		.data		= &sysctl_tcp_ignore_ack,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec
+	},
+#endif
 	{
 		.ctl_name	= NET_IPV4_IGMP_MAX_MSF,
 		.procname	= "igmp_max_msf",
diff -Naurp linux-2.6.25-hardened.orig/net/ipv4/tcp_input.c linux-2.6.25-hardened/net/ipv4/tcp_input.c
--- linux-2.6.25-hardened.orig/net/ipv4/tcp_input.c	2008-04-16 22:49:44.000000000 -0400
+++ linux-2.6.25-hardened/net/ipv4/tcp_input.c	2008-06-22 01:04:16.000000000 -0400
@@ -92,6 +92,12 @@ int sysctl_tcp_nometrics_save __read_mos
 int sysctl_tcp_moderate_rcvbuf __read_mostly = 1;
 int sysctl_tcp_abc __read_mostly;
 
+#ifdef CONFIG_NET_STEALTH
+int sysctl_tcp_ignore_synfin = 1;
+int sysctl_tcp_ignore_bogus = 1;
+int sysctl_tcp_ignore_ack = 1;
+#endif
+
 #define FLAG_DATA		0x01 /* Incoming frame contained data.		*/
 #define FLAG_WIN_UPDATE		0x02 /* Incoming ACK was a window update.	*/
 #define FLAG_DATA_ACKED		0x04 /* This ACK acknowledged new data.		*/
diff -Naurp linux-2.6.25-hardened.orig/net/ipv4/tcp_ipv4.c linux-2.6.25-hardened/net/ipv4/tcp_ipv4.c
--- linux-2.6.25-hardened.orig/net/ipv4/tcp_ipv4.c	2008-06-21 23:47:41.000000000 -0400
+++ linux-2.6.25-hardened/net/ipv4/tcp_ipv4.c	2008-06-22 01:08:08.000000000 -0400
@@ -86,6 +86,16 @@
 int sysctl_tcp_tw_reuse __read_mostly;
 int sysctl_tcp_low_latency __read_mostly;
 
+#ifdef CONFIG_IP_NMAP_FREAK
+int sysctl_tcp_restrict = 1;
+#endif
+
+#ifdef CONFIG_NET_STEALTH
+extern int sysctl_tcp_ignore_synfin;
+extern int sysctl_tcp_ignore_bogus;
+extern int sysctl_tcp_ignore_ack;
+#endif
+
 /* Check TCP sequence numbers in ICMP packets. */
 #define ICMP_MIN_LENGTH 8
 
@@ -549,6 +559,11 @@ static void tcp_v4_send_reset(struct soc
 	struct tcp_md5sig_key *key;
 #endif
 
+#ifdef CONFIG_IP_NMAP_FREAK
+		if (sysctl_tcp_restrict)
+			return;
+#endif
+
 	/* Never send a reset in response to a reset. */
 	if (th->rst)
 		return;
@@ -1636,6 +1651,23 @@ int tcp_v4_rcv(struct sk_buff *skb)
 	if (!skb_csum_unnecessary(skb) && tcp_v4_checksum_init(skb))
 		goto bad_packet;
 
+#ifdef CONFIG_NET_STEALTH
+	if(sysctl_tcp_ignore_synfin) {
+		if(th->fin && th->syn)
+			goto tcp_bad_flags;
+	}
+
+	if(sysctl_tcp_ignore_bogus) {
+		if(!(th->ack || th->syn || th->rst) || th->res1)
+			goto tcp_bad_flags;
+	}
+
+	if(sysctl_tcp_ignore_ack) {
+		if(th->fin && th->psh && th->urg)
+			goto tcp_bad_flags;
+	}
+#endif
+
 	th = tcp_hdr(skb);
 	iph = ip_hdr(skb);
 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
@@ -1687,6 +1719,33 @@ process:
 
 	return ret;
 
+#ifdef CONFIG_NET_STEALTH_LOG
+tcp_bad_flags:
+	printk(KERN_INFO
+		"Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d "
+		"%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u "
+		"T=%hu %c%c%c%c%c%c%c%c%c\n",
+		skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
+		NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
+		ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4,
+		skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq),
+		ntohl(th->ack_seq), skb->nh.iph->ttl,
+		th->res1 ? '1' : '.',
+		th->ece ? 'E' : '.',
+		th->cwr ? 'C' : '.',
+		th->ack ? 'A' : '.',
+		th->syn ? 'S' : '.',
+		th->fin ? 'F' : '.',
+		th->rst ? 'R' : '.',
+		th->psh ? 'P' : '.',
+		th->urg ? 'U' : '.' );
+	goto bad_packet;
+#else
+tcp_bad_flags:
+	goto bad_packet;
+
+#endif	/* CONFIG_NET_STEALTH_LOG */
+
 no_tcp_socket:
 	if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
 		goto discard_it;