diff -urb linux-2.2.17-orig/Documentation/Configure.help linux-2.2.17/Documentation/Configure.help
--- linux-2.2.17-orig/Documentation/Configure.help      Thu Sep  7 03:30:34 2000
+++ linux-2.2.17/Documentation/Configure.help   Thu Sep  7 05:20:38 2000
@@ -1189,6 +1189,32 @@
   Chances are that you should say Y here for every machine which is
   run as a router and N for every regular host. If unsure, say N.
 
+Stealth IP stack
+CONFIG_IP_STEALTH
+  Use this option to enable "Stealth" code in the kernel's IP Stack.
+  The purpose of this is to make your machine "invisible" on a network.
+  
+  If you say Y here, note that stealth options are not enabled by 
+  default; you can enable them by saying Y to "/proc filesystem support" 
+  and "Sysctl support" below and executing a command such as:
+  echo 1 >/proc/sys/net/ipv4/tcp_restrict_rst
+
+  Features and /proc interfaces:
+    tcp_restrict_rst - Do not send TCP RST packets 
+                              (no "Connection Refused")
+    udp_restrict_pu  - Do not send ICMP_UNREACH on udp
+                              (Prevents UDP portscans)
+    icmp_restrict    - Do not reply to ICMP requests
+                              (Excluding ping, see below)
+    igmp_restrict    - Do not reply to IGMP requests
+
+  Note that there is already a sysctl to ignore ICMP pings,
+    echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
+
+  Enabling all of the above and filtering all open ports should make 
+  your machine very hard to detect, while not interfering with (most) 
+  normal operation.
+
 SYN flood protection
 CONFIG_SYN_COOKIES
   Normal TCP/IP networking is open to an attack known as "SYN
@@ -12629,4 +12655,3 @@
 # LocalWords:  alphalinux GOBIOS csn chemnitz nat ACARD AMI MegaRAID megaraid
 # LocalWords:  QNX4FS ISI isicom xterms Apollos VPN RCPCI rcpci sgi visws pcmcia
 # LocalWords:  IrLPT UIRCC Tecra
-
Only in linux-2.2.17-orig/drivers/net: 3c503.c
Only in linux-2.2.17-orig/drivers/net: LICENSE.SRC
Only in linux-2.2.17-orig/include/linux: coda_opstats.h
Only in linux-2.2.17-orig/include/linux: dasd.h
diff -urb linux-2.2.17-orig/include/linux/sysctl.h linux-2.2.17/include/linux/sysctl.h
--- linux-2.2.17-orig/include/linux/sysctl.h    Thu Sep  7 03:30:03 2000
+++ linux-2.2.17/include/linux/sysctl.h Thu Sep  7 04:57:46 2000
@@ -228,7 +228,16 @@
        NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=64,
        NET_IPV4_IGMP_MAX_MEMBERSHIPS=65,
        NET_IPV4_ALWAYS_DEFRAG=67,
+#ifdef CONFIG_IP_STEALTH
+       NET_IPV4_IP_MASQ_UDP_DLOOSE=68,
+       NET_IPV4_TCP_RESTRICT_RST=69,
+       NET_IPV4_UDP_RESTRICT_PU=70,
+       NET_IPV4_IGMP_RESTRICT=71,
+       NET_IPV4_ICMP_RESTRICT=72
+#else
        NET_IPV4_IP_MASQ_UDP_DLOOSE=68
+#endif
+               
 };
 
 enum {
diff -urb linux-2.2.17-orig/net/ipv4/Config.in linux-2.2.17/net/ipv4/Config.in
--- linux-2.2.17-orig/net/ipv4/Config.in        Thu Sep  7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/Config.in     Thu Sep  7 04:19:56 2000
@@ -73,6 +73,7 @@
     bool 'IP: ARP daemon support (EXPERIMENTAL)' CONFIG_ARPD
   fi
 fi
+bool 'IP: Stealth Code (not enabled per default)' CONFIG_IP_STEALTH
 bool 'IP: TCP syncookie support (not enabled per default)' CONFIG_SYN_COOKIES
 comment '(it is safe to leave these untouched)'
 #bool 'IP: PC/TCP compatibility mode' CONFIG_INET_PCTCP
@@ -83,4 +84,3 @@
 #if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then 
 #bool 'IP: support experimental checksum copy to user for UDP'  CONFIG_UDP_DELAY_CSUM
 #fi
-
diff -urb linux-2.2.17-orig/net/ipv4/icmp.c linux-2.2.17/net/ipv4/icmp.c
--- linux-2.2.17-orig/net/ipv4/icmp.c   Thu Sep  7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/icmp.c        Thu Sep  7 04:38:20 2000
@@ -317,6 +317,10 @@
 int sysctl_icmp_echo_ignore_all = 0;
 int sysctl_icmp_echo_ignore_broadcasts = 0;
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_icmp_restrict = 0;
+#endif
+
 /* Control parameter - ignore bogus broadcast responses? */
 int sysctl_icmp_ignore_bogus_error_responses =0;
 
@@ -887,7 +891,10 @@
        icmp_param.icmph.code=0;
        icmp_param.data_ptr=×
        icmp_param.data_len=12;
+#ifdef CONFIG_IP_STEALTH      
+       if (!sysctl_icmp_restrict)
        icmp_reply(&icmp_param, skb);
+#endif
 }
 
 
diff -urb linux-2.2.17-orig/net/ipv4/igmp.c linux-2.2.17/net/ipv4/igmp.c
--- linux-2.2.17-orig/net/ipv4/igmp.c   Thu Sep  7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/igmp.c        Thu Sep  7 04:42:12 2000
@@ -99,6 +99,10 @@
 
 #define IP_MAX_MEMBERSHIPS 20
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_igmp_restrict = 0;
+#endif
+
 #ifdef CONFIG_IP_MULTICAST
 
 /* Parameter names and values are taken from igmp-v2-06 draft */
@@ -157,6 +161,9 @@
        struct rtable *rt;
        u32     dst;
 
+       if (sysctl_igmp_restrict)
+               return(-1);
+
        /* According to IGMPv2 specs, LEAVE messages are
         * sent to all-routers group.
         */
@@ -695,4 +702,3 @@
        return len;
 }
 #endif
-
diff -urb linux-2.2.17-orig/net/ipv4/sysctl_net_ipv4.c linux-2.2.17/net/ipv4/sysctl_net_ipv4.c
--- linux-2.2.17-orig/net/ipv4/sysctl_net_ipv4.c        Thu Sep  7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/sysctl_net_ipv4.c     Thu Sep  7 04:55:42 2000
@@ -48,6 +48,13 @@
 extern int sysctl_ip_masq_debug;
 extern int sysctl_ip_masq_udp_dloose;
 
+#ifdef CONFIG_IP_STEALTH
+extern int sysctl_tcp_restrict_rst;
+extern int sysctl_udp_restrict_pu;
+extern int sysctl_icmp_restrict;
+extern int sysctl_igmp_restrict;
+#endif
+
 extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
@@ -206,6 +213,16 @@
 #ifdef CONFIG_IP_MULTICAST
        {NET_IPV4_IGMP_MAX_MEMBERSHIPS, "igmp_max_memberships",
         &sysctl_igmp_max_memberships, sizeof(int), 0644, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_IP_STEALTH
+       {NET_IPV4_TCP_RESTRICT_RST, "tcp_restrict_rst",
+        &sysctl_tcp_restrict_rst, sizeof(int), 0644, NULL, &proc_dointvec},
+       {NET_IPV4_UDP_RESTRICT_PU, "udp_restrict_pu",
+        &sysctl_udp_restrict_pu, sizeof(int), 0644, NULL, &proc_dointvec},
+       {NET_IPV4_ICMP_RESTRICT, "icmp_restrict",
+        &sysctl_icmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
+       {NET_IPV4_IGMP_RESTRICT, "igmp_restrict",
+        &sysctl_igmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
 #endif
        {0}
 };
diff -urb linux-2.2.17-orig/net/ipv4/tcp_ipv4.c linux-2.2.17/net/ipv4/tcp_ipv4.c
--- linux-2.2.17-orig/net/ipv4/tcp_ipv4.c       Thu Sep  7 03:30:09 2000
+++ linux-2.2.17/net/ipv4/tcp_ipv4.c    Thu Sep  7 04:24:08 2000
@@ -63,6 +63,10 @@
 #include <linux/inet.h>
 #include <linux/stddef.h>
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_tcp_restrict_rst = 0;
+#endif
+
 extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
@@ -984,6 +988,10 @@
        struct tcphdr rth;
        struct ip_reply_arg arg;
 
+#ifdef CONFIG_IP_STEALTH
+       if (sysctl_tcp_restrict_rst)
+               return;
+#endif
        /* Never send a reset in response to a reset. */
        if (th->rst)
                return;
diff -urb linux-2.2.17-orig/net/ipv4/udp.c linux-2.2.17/net/ipv4/udp.c
--- linux-2.2.17-orig/net/ipv4/udp.c    Thu Sep  7 03:30:08 2000
+++ linux-2.2.17/net/ipv4/udp.c Thu Sep  7 04:51:19 2000
@@ -115,6 +115,10 @@
 #include <net/route.h>
 #include <net/checksum.h>
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_udp_restrict_pu = 0;
+#endif
+
 /*
  *     Snmp MIB for the UDP layer
  */
@@ -1133,6 +1137,9 @@
                        goto csum_error;
 #endif
                udp_statistics.UdpNoPorts++;
+#ifdef CONFIG_IP_STEALTH
+               if (!sysctl_udp_restrict_pu)
+#endif
                icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 
                /*