* Maciej Soltysiak ([EMAIL PROTECTED]) wrote: > > Be more specific about "with faked IP address". If the src of icmp > > dst port unreachable does not match the dst of the original request > > it will simply get dropped with no effect. > > > > Ramin > well i was talking about Fabrice Marie's patch to cvs that allows to use > -j REJECT --fake-source 10.1.1.1 > > i would like Fabrice to elaborate on that a bit. > As you Ramin noticed, icmp not elicited by our packets, will get dropped > by the kernel. if we change the source ip, they will get dropped.
They will? Is that specific to 'icmp dst port'? I thought routers
between the source and the destination could return ICMP errors with
their IP address if there is not route or such...
> Or not? Please explain anyone, what is the use of this patch to REJECT
> target.
Well, one interesting idea is a firewall bridge which doesn't actually
have an IP address of its own being able to send ICMP error back saying
unreachable as if it was the destiation machine... :)
Stephen
msg00384/pgp00000.pgp
Description: PGP signature
