On Tuesday 05 November 2002 1:42 pm, Kellogg, Chris wrote: > Hi, everyone. > > I'm thinking about a series of obfuscation rules to try to reduce firewall > visibility. > > I'd like to make an IPTables firewall reject packets with an > ICMP-Host-Unreachable, but also change the source address of the packet to > be the gateway router instead of the firewall itself. > > Opinions? Comments? My opinion is that if you want to reduce firewall visibility, you should send back nothing at all. However, if you want to try your idea, I think it's not the OUTPUT chain you want to look at, but the POSTROUTING chain, because that's where SNAT is done. I see no reason why you shouldn't be able to SNAT ICMP packets coming from the firewall to make them look like they came from somewhere else. iptables -A POSTROUTING -t nat -p icmp -s a.b.c.d -j SNAT --to w.x.y.z a.b.c.d is firewall's external address w.x.y.z is gateway router's external address Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't.
