* Michael wrote on Wed, Nov 27, 2002 at 14:13 -0500: > In the case of my setup, I have to reject with host unreachable > because I drop all outbound ICMP port unreachable packets to > block traceroutes..
If you feel a need to block traceroute, why don't block TTL exeeded but host unreachable? Did you mixed up the type 3 ICMPs, maybe? I suggest to block time-exceeded if you think you need it, but allow destination-unreachable at least for any that can be viewable, otherwise for the clients it takes long time to find out that a service isn't offered (well, I believe sometimes a connection is not an attack but a request :)). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.