With ipchains you can ACCEPT, REJECT or DENY a packet. What ACCEPT does is self-explainatory, but nearly everybody asks what the difference between REJECT and DENY is and which one is better. And how does nmap see the ports? Below is my attempt at explaining the differences. The example transactions were captured with tcpdump.