> On Wednesday 22 May 2002 14:47, Ben Reser wrote: >> On Wed, May 22, 2002 at 03:36:51PM +0800, Fabrice MARIE wrote: >> > Well, say your firewall is 202.58.4.3, >> > your webservers are 202.58.4.7-20 and all traffic from outside to >> > your webservers is filtered by your firewall. >> > Now you can tell your firewall : >> > if packet src != trusted and dest=202.58.4.7-20 destport != 80 then >> > reject the packet with icmp unreach that seems to come from the >> > webserver itself (and not from the firewall so you won't detect the >> > firewall so easyly). >> > an egress filter at your ISP will not drop such packets, because as >> > far as it's concerned, this packets comes from legitimate sources... > >> Gotcha. I thought you meant sending the ICMP unreachable as the ip of >> the sender of the original packet. > > Well, you could do that as well (even though it would require some > patching if you want it to be dynamic), but these icmp unreach would > most probably be dropped by any egress filter, as you pointed out..
Sorry - not really netfilter related ... But I was wondering if you meant that typical ISP's in the USA use egress filters to stop people from supplying a source IP address that is not directly assigned to them and thus stop anyone from having a multi-homed system with out-bound routing not directly based on the ISP source the packet was routed in? This is something I have done for a long time (with a previous ISP during a change over to a new ISP and with both of my current ADSL ISP's) and I'd like to know if this is something new that I can expect to start causing me problems (or have I completely misunderstood the orginal discussion) Feel free to reply off list if others on the list might not want to have to skip the replies. -- -Thanks -Andrew MS ... if only he hadn't been hang gliding!