On Tue, 2004-05-11 at 14:38, Marc Haber wrote: > > On Tue, May 11, 2004 at 01:16:03PM -0400, Chris Brenton wrote: > > Depends. I like rejecting with host-unreachables as it makes it look > > like you do not have a firewall. > > NACK. If I weren't there, the host unreachable would have the source > address of the upstream router, and not my own one. I didn't say "not there", I said "look like there is no firewall". The type 3 code 1 mimics the response of a typical router. > To be truly > invisible, you'd need to fake the upstream router's IP address, Not going to work. Firewalk will quickly identify there is a hop on the wire that is not accounted for. Thus I don't bother shooting for invisible, just a little bit of decoying and deception. ;-) HTH, Chris
