Hello Paul,
interesting exercise it has never come to my mind to try something like that.
I did poke to RFCs and found 1122 [1]. I'm not RFC guru so I hope this
partcular one is not superseded or updated by more recent one.
If I understand quotation below right, then host TCP stack should just ignore
ICMP port unreachable message sent on behalf rule:
> block return-icmp proto tcp from any to any port 10002
RFC 1122 [1] quotation below comes from page 40 (section 3.2.2.1):
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
A Destination Unreachable message that is received with code
0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
routing transient and MUST therefore be interpreted as only
a hint, not proof, that the specified destination is
unreachable [IP:11]. For example, it MUST NOT be used as
proof of a dead gateway (see Section 3.3.1).
I think there is a very little IP/TCP implementations, which follow
standard.
regards
sashan
[1] https://www.ietf.org/rfc/rfc1122.txt
