On Tue, Feb 26, 2002 at 06:25:34PM +0100, Maciej Soltysiak wrote: > > They will? Is that specific to 'icmp dst port'? I thought routers > > between the source and the destination could return ICMP errors with > > their IP address if there is not route or such... > Well, the normal scenario is this: > A sends a packet to B to a closed port > B sends imcp dest port unreach. The icmp dest port unreach has: > source: B, dest: A, and as the payload 64 bytes (in case of linux) of the > offending packets (there we see that A send that packet to B to a closed > port) > > The NEW scenario is this: > A sends a packet to B to a closed port > B sends icmp and changes the IP to a fake one. > A receives the icmp, and says: > hey, i did not send packets to 'fake IP', this is a mistake-->DROP > > or is it not this way? >
Apparently not. I just tested it and it seems that A recieves the ICMP port unreachable and parses the payload (note there are only 64 bits not bytes) and determines what the context was. 12:15:20.678887 eth0 > a.a.a.a.1031 > b.b.b.b.auth: S 1030380384:1030380384(0) ... 12:15:20.679323 eth0 < c.c.c.c > a.a.a.a: icmp: b.b.b.b tcp port auth unreachable (DF) [tos 0xc0] This is done by a simple '-j REJECT --reject-with icmp-port-unreachable' on c.c.c.c. Now I assume that this new module would give you the possibility to fake the originating icmp... Ramin
