On Tue, Feb 26, 2002 at 12:09:09PM -0500, Stephen Frost wrote: > > > Be more specific about "with faked IP address". If the src of icmp > > > dst port unreachable does not match the dst of the original request > > > it will simply get dropped with no effect.
My statement above is wrong. The detemining factor is the icmp 64b payload. So I guess '-j REJECT --fake-source x.y.z.t' can be used to fake the originating machine. One application would be what Stephen describes below. Ramin > > > > > > Ramin > > well i was talking about Fabrice Marie's patch to cvs that allows to use > > -j REJECT --fake-source 10.1.1.1 > > > > i would like Fabrice to elaborate on that a bit. > > As you Ramin noticed, icmp not elicited by our packets, will get dropped > > by the kernel. if we change the source ip, they will get dropped. > > They will? Is that specific to 'icmp dst port'? I thought routers > between the source and the destination could return ICMP errors with > their IP address if there is not route or such... > > > Or not? Please explain anyone, what is the use of this patch to REJECT > > target. > > Well, one interesting idea is a firewall bridge which doesn't actually > have an IP address of its own being able to send ICMP error back saying > unreachable as if it was the destiation machine... :) > > Stephen
