[RFC] --exclude-ports option for Nmap

[Jay Bosamiya <jaybosamiya () gmail com>]

Hi All!

The --exclude-ports option would be a major boon to many Nmap users and
it has been in demand for quite a while now. However, there are some
things that need to be thought about before we add it in.

1. How does it interact with -p? More specifically, what does "-p 80
--exclude-ports 80" do (since user specifically included it as well as
excluded it)?
        I think that we should follow a "exclude has higher priority than
include" ideology and NOT scan 80 in this case. However, we could show a
warning to a user if he has included a port individually and then
excluded it (i.e. not using ranges). The warning thing could be added
later on, as a follow up.

2. How does it interact with --top-ports? More specifically, how many
ports does "--top-ports 2 --exclude-ports 80" scan? 1 or 2?
        I think that it should scan 2 ports excluding port 80 (i.e. it should
scan ports 23 and 443). This seems to be the logical way that anyone
would read the command too.

3. How should the arguments for it be taken? Similar to -p, or only
individual ports should be taken?
        I think that we should allow for ranges of ports to also be
specified, very similar to the way we take input for -p (kind of like
"--exclude-ports 80-90,666"). This would make it very easy for users to
use this option.

4. Should there be a one-letter flag for it? If so, what should it be?
        I don't think that it needs a one-letter flag but this depends on how
much it will be used.


I would request you all to comment on the above questions (whether you
agree with my point of view or not) and also add in other
questions/points that you find necessary/relevant.

Cheers,
Jay
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/