On Sun, 2 Nov 2003, Richard wrote:

> Diana
> 
> Yes.  Read that before I did anything else :)  It is very good but I 
> have to admit that the syntax for IPF did confuse me quite a bit.
> 
> I need some basic help with some syntax for IPF.  Once I can 
> understand it fully then I probably won't need human help.
> 
> -- 
> Richard

what you want to do is block the incoming udp connection to port 500.
look at the examples below at
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_24

* Responding To a Blocked Packet
*
* It's also possible to send an error message when somebody sends a packet
* to a UDP port on your system. Whereas once you might have used:
*
* block in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 111
*
* You could instead use the return-icmp keyword to send a reply:
*
* block return-icmp(port-unr) in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 111
*
* According to TCP/IP Illustrated, port-unreachable is the correct ICMP
* type to return when no service is listening on the port in question. You
* can use any ICMP type you like, but port-unreachable is probably your
* best bet. It's also the default ICMP type for return-icmp.

sooooo, you could block an incoming udp connection to port 500 and leave
it dying on the vine with ....

block in quick on "Interface" proto udp from any to "local ip" port = 500

where "Interface" is you external interface 
and 
"local ip" of your system

oh know when you get this it's gonna jump out at you how clear it is!

FWIW I haven't used IPF in a couple of years, so I had to go look at the
HOWTO again to get the syntax