Phil Oester kernel at linuxace.com
Thu Dec 30 00:56:57 CET 2004

On Thu, Dec 30, 2004 at 12:42:17AM +0100, Matteo Croce wrote:
> Hi,
> time ago i wanted to stealth may gateway, so i start dropping outgoing 
> icmp-port-unreachable packets, to avoid UDP scans.
> But i had also a '--dport 113 -j REJECT' target to allow faster irc logins,
> that stopped working since those ICMP were rejected by the new rule.
> So i hacked the kernel with a patch i also attach, to prevent those packets 
> being generated.

Perhaps you should consider using:

--dport 113 -j REJECT --reject-with tcp-reset

instead of hacking the kernel to disable icmp rejects?

As far as the rest of your message goes, I suppose it is a matter of personal
preference, but if you have a firewall open to the world for a particular
service, people on the outside will be able to find it if that service is
running.  Why do you care if people get an icmp unreachable when the service
is down?  You aren't making the box more secure IMO by not allowing the
icmp error outbound.

Anyhow...this discussion likely belongs over on the general netfilter list.


More information about the netfilter-devel mailing list