On Tue, Aug 06, 2002 at 06:57:08PM -0300, Ethy H. Brito wrote: > And what would be the address it (the bridge) is going to put in the > packet? The new assigned bridge interface address or the conection > originator address? I ask this because ipf has an option > (return-icmp-as-dest) that did the trick very well.
For return-rst, the destination of the blocked packet, and for return-icmp, the firewall's address. For some ICMP errors (like 'host unreachable'), it makes no sense to use the destination's address. An optional 'return-icmp as <ip>' or similar has been suggested before, but we haven't found an elegant way to implement it without duplicating large chunks of code already found in the stack. Most ICMP errors should actually come from a router in front of the protected destination (and not the destination itself), some people seem to be concerned with advertising the router's address in the ICMP error. Daniel
