On Sunday 18 July 2004 9:57 pm, Dirk Morris wrote: > Is there a way to match only certain ICMP responses that relate to > certain other sessions. > > example: is there a rule/match I can use to specify that I want to block > all ICMP port unreachable errors, but _only_ in response to UDP packets (not > TCP). Why would you get an ICMP message in response to a TCP port being unreachable? TCP will either return RST, or simply won't return the SYN-ACK packet, and eventually the client will timeout. There should be no ICMP packets involved. > Or maybe both TCP and UDP, but only port 123. etc etc. If you want to match ICMP packets which are in response to an unsuccessful UDP packet to port 123, you could try the "string" match? It has the disadvantage (which for most other purposes is a severe one) that it will only match strings contained competely within one packet, however in this case I think all the data you will be interested in will be in one packet, therefore it might be a good solution to the problem. Regards, Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please don't CC me.