I got to thinking about the article that I cited in my previous post
"Interesting article about punching holes in firewalls..."
(https://lists.netfilter.org/pipermail/netfilter/2006-December/067573.html).
Would it be possible to somehow (I leave that up to developers) monitor
ICMP replies in response to out going packets and alter the connection
tracking state for the outgoing packet? I.e. if an ICMP Port / Host
unreachable packet comes back in response to an outgoing packet then
alter the connection tracking state for the packet somehow, say to unset
the RELATED / ESTABLISHED state for the packet? I would think that this
would help thwart the problem (re)presented in the article that I cited.
Thoughts / opinions / suggestions / rants are all welcomed and encouraged.
Grant. . . .
