Comment 13 for bug 1834974

Also, can the rules use something else rather than icmp-host-prohibited? That gives back 'No route to host' which is wrong:

| $ nc -vz 150.136.239.201 80
| nc: connect to 150.136.239.201 port 80 (tcp) failed: No route to host

This made me waste a bit of time trying to figure out if it's routing somewhere between our network (and my local network) and OCI.

For TCP, perhaps tcp-reset?

For UDP, or the rest, icmp-port-unreachable?