On Wed, May 22, 2002 at 03:36:51PM +0800, Fabrice MARIE wrote: > Well, say your firewall is 202.58.4.3, > your webservers are 202.58.4.7-20 and all traffic from outside to your webservers > is filtered by your firewall. > Now you can tell your firewall : > > if packet src != trusted and dest=202.58.4.7-20 destport != 80 then reject the packet > with icmp unreach that seems to come from the webserver itself (and not > from the firewall so you won't detect the firewall so easyly). > > an egress filter at your ISP will not drop such packets, because > as far as it's concerned, this packets comes from legitimate sources...
Gotcha. I thought you meant sending the ICMP unreachable as the ip of the sender of the original packet. I misread your original message. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org We tend to see all wars through the lens of the current conflict, and we mine history for lessons convenient to the present purpose. - Brian Hayes
