sven@xxxxxx wrote: >>That doesn't achieve what I want. If a TCP connection is rejected at >>the firewall, then blocking ICMP at the upstream router will block the >>host-unreachable from going out, not make it seem as if the router is >>the source. >> >> > >You want to do SNAT? > Yes, but it isn't SNAT because it isn't being routed. It would be on the OUTPUT chain since it is originating from the firewall. -- Nathaniel Hall, GSEC GCFW GCIA
