On Wednesday 22 May 2002 14:47, Ben Reser wrote: > On Wed, May 22, 2002 at 03:36:51PM +0800, Fabrice MARIE wrote: > > Well, say your firewall is 202.58.4.3, > > your webservers are 202.58.4.7-20 and all traffic from outside to your > > webservers is filtered by your firewall. > > Now you can tell your firewall : > > if packet src != trusted and dest=202.58.4.7-20 destport != 80 then > > reject the packet with icmp unreach that seems to come from the webserver > > itself (and not from the firewall so you won't detect the firewall so > > easyly). > > an egress filter at your ISP will not drop such packets, because > > as far as it's concerned, this packets comes from legitimate sources...
> Gotcha. I thought you meant sending the ICMP unreachable as the ip of > the sender of the original packet. Well, you could do that as well (even though it would require some patching if you want it to be dynamic), but these icmp unreach would most probably be dropped by any egress filter, as you pointed out.. > I misread your original message. I probably haven't phrased it properly. Sorry about that. Have a nice day, Fabrice. -- Fabrice MARIE Senior R&D Engineer Celestix Networks http://www.celestix.com/ "Silly hacker, root is for administrators" -Unknown
