diff -urB linux-orig/Documentation/Configure.help linux/Documentation/Configure.help
--- linux-orig/Documentation/Configure.help	Tue Dec 12 04:16:11 2000
+++ linux/Documentation/Configure.help	Tue Dec 12 04:16:43 2000
@@ -1243,6 +1243,32 @@
   Chances are that you should say Y here for every machine which is
   run as a router and N for every regular host. If unsure, say N.
 
+Stealth IP stack
+CONFIG_IP_STEALTH
+  Use this option to enable "Stealth" code in the kernel's IP Stack.
+  The purpose of this is to make your machine "invisible" on a network.
+  
+  If you say Y here, note that stealth options are not enabled by 
+  default; you can enable them by saying Y to "/proc filesystem support" 
+  and "Sysctl support" below and executing a command such as:
+  echo 1 >/proc/sys/net/ipv4/tcp_restrict_rst
+
+  Features and /proc interfaces:
+    tcp_restrict_rst - Do not send TCP RST packets 
+                              (no "Connection Refused")
+    udp_restrict_pu  - Do not send ICMP_UNREACH on udp
+                              (Prevents UDP portscans)
+    icmp_restrict    - Do not reply to ICMP requests
+                              (Excluding ping, see below)
+    igmp_restrict    - Do not reply to IGMP requests
+
+  Note that there is already a sysctl to ignore ICMP pings,
+    echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
+
+  Enabling all of the above and filtering all open ports should make 
+  your machine very hard to detect, while not interfering with (most) 
+  normal operation.
+
 SYN flood protection
 CONFIG_SYN_COOKIES
   Normal TCP/IP networking is open to an attack known as "SYN
Only in linux/Documentation: Configure.help.orig
diff -urB linux-orig/include/linux/sysctl.h linux/include/linux/sysctl.h
--- linux-orig/include/linux/sysctl.h	Tue Dec 12 04:15:46 2000
+++ linux/include/linux/sysctl.h	Tue Dec 12 04:16:43 2000
@@ -231,7 +231,16 @@
 	NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=64,
 	NET_IPV4_IGMP_MAX_MEMBERSHIPS=65,
 	NET_IPV4_ALWAYS_DEFRAG=67,
+#ifdef CONFIG_IP_STEALTH
+	NET_IPV4_IP_MASQ_UDP_DLOOSE=68,
+	NET_IPV4_TCP_RESTRICT_RST=69,
+	NET_IPV4_UDP_RESTRICT_PU=70,
+	NET_IPV4_IGMP_RESTRICT=71,
+	NET_IPV4_ICMP_RESTRICT=72
+#else
 	NET_IPV4_IP_MASQ_UDP_DLOOSE=68
+#endif
+		
 };
 
 enum {
Only in linux/include/linux: sysctl.h.orig
diff -urB linux-orig/net/ipv4/Config.in linux/net/ipv4/Config.in
--- linux-orig/net/ipv4/Config.in	Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/Config.in	Tue Dec 12 04:16:43 2000
@@ -73,6 +73,7 @@
     bool 'IP: ARP daemon support (EXPERIMENTAL)' CONFIG_ARPD
   fi
 fi
+bool 'IP: Stealth Code (not enabled per default)' CONFIG_IP_STEALTH
 bool 'IP: TCP syncookie support (not enabled per default)' CONFIG_SYN_COOKIES
 comment '(it is safe to leave these untouched)'
 #bool 'IP: PC/TCP compatibility mode' CONFIG_INET_PCTCP
diff -urB linux-orig/net/ipv4/icmp.c linux/net/ipv4/icmp.c
--- linux-orig/net/ipv4/icmp.c	Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/icmp.c	Tue Dec 12 04:16:43 2000
@@ -317,6 +317,10 @@
 int sysctl_icmp_echo_ignore_all = 0;
 int sysctl_icmp_echo_ignore_broadcasts = 0;
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_icmp_restrict = 0;
+#endif
+
 /* Control parameter - ignore bogus broadcast responses? */
 int sysctl_icmp_ignore_bogus_error_responses =0;
 
@@ -893,7 +897,10 @@
 	icmp_param.icmph.code=0;
 	icmp_param.data_ptr=&times;
 	icmp_param.data_len=12;
+#ifdef CONFIG_IP_STEALTH      
+	if (!sysctl_icmp_restrict)
 	icmp_reply(&icmp_param, skb);
+#endif
 }
 
 
Only in linux/net/ipv4: icmp.c.orig
diff -urB linux-orig/net/ipv4/igmp.c linux/net/ipv4/igmp.c
--- linux-orig/net/ipv4/igmp.c	Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/igmp.c	Tue Dec 12 04:16:43 2000
@@ -99,6 +99,10 @@
 
 #define IP_MAX_MEMBERSHIPS 20
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_igmp_restrict = 0;
+#endif
+
 #ifdef CONFIG_IP_MULTICAST
 
 /* Parameter names and values are taken from igmp-v2-06 draft */
@@ -157,6 +161,9 @@
 	struct rtable *rt;
 	u32	dst;
 
+	if (sysctl_igmp_restrict)
+		return(-1);
+
 	/* According to IGMPv2 specs, LEAVE messages are
 	 * sent to all-routers group.
 	 */
diff -urB linux-orig/net/ipv4/sysctl_net_ipv4.c linux/net/ipv4/sysctl_net_ipv4.c
--- linux-orig/net/ipv4/sysctl_net_ipv4.c	Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/sysctl_net_ipv4.c	Tue Dec 12 04:16:43 2000
@@ -35,6 +35,13 @@
 extern int sysctl_ip_masq_debug;
 extern int sysctl_ip_masq_udp_dloose;
 
+#ifdef CONFIG_IP_STEALTH
+extern int sysctl_tcp_restrict_rst;
+extern int sysctl_udp_restrict_pu;
+extern int sysctl_icmp_restrict;
+extern int sysctl_igmp_restrict;
+#endif
+
 extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
@@ -197,6 +204,16 @@
 #ifdef CONFIG_IP_MULTICAST
 	{NET_IPV4_IGMP_MAX_MEMBERSHIPS, "igmp_max_memberships",
 	 &sysctl_igmp_max_memberships, sizeof(int), 0644, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_IP_STEALTH
+	{NET_IPV4_TCP_RESTRICT_RST, "tcp_restrict_rst",
+	 &sysctl_tcp_restrict_rst, sizeof(int), 0644, NULL, &proc_dointvec},
+	{NET_IPV4_UDP_RESTRICT_PU, "udp_restrict_pu",
+	 &sysctl_udp_restrict_pu, sizeof(int), 0644, NULL, &proc_dointvec},
+	{NET_IPV4_ICMP_RESTRICT, "icmp_restrict",
+	 &sysctl_icmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
+	{NET_IPV4_IGMP_RESTRICT, "igmp_restrict",
+	 &sysctl_igmp_restrict, sizeof(int), 0644, NULL, &proc_dointvec},
 #endif
 	{0}
 };
Only in linux/net/ipv4: sysctl_net_ipv4.c.orig
diff -urB linux-orig/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c
--- linux-orig/net/ipv4/tcp_ipv4.c	Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/tcp_ipv4.c	Tue Dec 12 04:16:43 2000
@@ -63,6 +63,10 @@
 #include <linux/inet.h>
 #include <linux/stddef.h>
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_tcp_restrict_rst = 0;
+#endif
+
 extern int sysctl_tcp_timestamps;
 extern int sysctl_tcp_window_scaling;
 extern int sysctl_tcp_sack;
@@ -984,6 +988,10 @@
 	struct tcphdr rth;
 	struct ip_reply_arg arg;
 
+#ifdef CONFIG_IP_STEALTH
+	if (sysctl_tcp_restrict_rst)
+		return;
+#endif
 	/* Never send a reset in response to a reset. */
 	if (th->rst)
 		return;
diff -urB linux-orig/net/ipv4/udp.c linux/net/ipv4/udp.c
--- linux-orig/net/ipv4/udp.c	Tue Dec 12 04:15:48 2000
+++ linux/net/ipv4/udp.c	Tue Dec 12 04:16:43 2000
@@ -115,6 +115,10 @@
 #include <net/route.h>
 #include <net/checksum.h>
 
+#ifdef CONFIG_IP_STEALTH
+int sysctl_udp_restrict_pu = 0;
+#endif
+
 /*
  *	Snmp MIB for the UDP layer
  */
@@ -1133,6 +1137,9 @@
 			goto csum_error;
 #endif
   		udp_statistics.UdpNoPorts++;
+#ifdef CONFIG_IP_STEALTH
+		if (!sysctl_udp_restrict_pu)
+#endif
 		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 
 		/*
