On Sunday 18 July 2004 9:57 pm, Dirk Morris wrote:
> Is there a way to match only certain ICMP responses that relate to
> certain other sessions.
>
> example: is there a rule/match I can use to specify that I want to block
> all ICMP port unreachable errors, but _only_ in response to UDP packets (not
> TCP).
Why would you get an ICMP message in response to a TCP port being unreachable?
TCP will either return RST, or simply won't return the SYN-ACK packet, and
eventually the client will timeout. There should be no ICMP packets
involved.
> Or maybe both TCP and UDP, but only port 123. etc etc.
If you want to match ICMP packets which are in response to an unsuccessful UDP
packet to port 123, you could try the "string" match? It has the
disadvantage (which for most other purposes is a severe one) that it will
only match strings contained competely within one packet, however in this
case I think all the data you will be interested in will be in one packet,
therefore it might be a good solution to the problem.
Regards,
Antony.
--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.
- Antoine de Saint-Exupery
Please reply to the list;
please don't CC me.
