Matteo Croce <mat...@openwrt.org> wrote: > Add option to disable any reply not related to a listening socket, > like RST/ACK for TCP and ICMP Port-Unreachable for UDP. > Also disables ICMP replies to echo request and timestamp. > The stealth mode can be enabled selectively for a single interface.
I think it would make more sense to extend the socket match in xtables if it can't be used to achive this already. seems like *filter :INPUT ACCEPT [0:0] -A INPUT -p tcp -m socket --nowildcard -j ACCEPT -A INPUT -p tcp -j DROP COMMIT Already does what you want for tcp, udp should work too. I'd much rather see xtables and/or nftables to be extended with whatever feature(s) are needed to configure such a policy rather than pushing this into the core network stack. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html