AlexK - 5:04 pm on Jan 28, 2006 (gmt 0)

Ah, yes - a postscript.

I wanted a send a REJECT for INVALID tcp-packets so that the clients could clean up properly. That would send an ICMP packet Type-3 (Destination Unreachable) with a choice of:
icmp-net-unreachable (Code 0)
icmp-host-unreachable (Code 1)
icmp-port-unreachable (Code 2) (default)
icmp-proto-unreachable (Code 3)
icmp-net-prohibited (Code 9)
icmp-host-prohibited (Code 10)

None of the codes seemed correct. Possibly Code 13 (Communication Administratively Prohibited [RFC1812]) would have been right but, unless I am missing something, none of the codes said "hey, you have sent an INVALID packet" so, I threw up my hands and decided to simply DROP them (which does not send any notification).