From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 15:20:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E33016A41F for ; Thu, 28 Jul 2005 15:20:52 +0000 (GMT) (envelope-from kop@meme.com) Received: from mail22.sea5.speakeasy.net (mail22.sea5.speakeasy.net [69.17.117.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B37143D46 for ; Thu, 28 Jul 2005 15:20:52 +0000 (GMT) (envelope-from kop@meme.com) Received: (qmail 27926 invoked from network); 28 Jul 2005 15:20:51 -0000 Received: from dsl093-114-095.chi2.dsl.speakeasy.net (HELO mofo.meme.com) ([66.93.114.95]) (envelope-sender ) by mail22.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 28 Jul 2005 15:20:51 -0000 Received: from mofo (localhost.localdomain [127.0.0.1]) by mofo.meme.com (Postfix) with ESMTP id E1C6D6E422; Thu, 28 Jul 2005 11:15:27 -0500 (CDT) Date: Thu, 28 Jul 2005 16:15:27 +0000 From: "Karl O. Pinc" To: pf@benzedrine.cx References: <31BA35C490DBFC40B5C331C7987835AE61236C@mbafmail.internal.mba-cpa.com> <42E88BEC.4060007@xs4all.nl> <20050728093738.GH15154@insomnia.benzedrine.cx> In-Reply-To: <20050728093738.GH15154@insomnia.benzedrine.cx> (from daniel@benzedrine.cx on Thu Jul 28 04:37:38 2005) X-Mailer: Balsa 2.3.0 Message-Id: <1122567327l.19571l.1l@mofo> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; DelSp=Yes; Format=Flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit Cc: freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 15:20:52 -0000 On 07/28/2005 04:37:38 AM, Daniel Hartmeier wrote: > Assuming Windows ping is not doing that, you'll have to provide an > alternative way to decide which client to send replies to. There's > ICMP > sequence numbers, but they can and will overlap for concurrent ping > invokations. The ICMP echo reply quotes the ICMP payload of the query. > But most ping tools will use a constant payload, so that's no > distinguishing criterion. The NAT device could tamper with the payload > and insert its own ID there, but that's modifying the packet in an > intrusive and unexpected way. > > I'm curious how any NAT device would do that correctly without relying > on unique/random ICMP ids. I cannot speak to how anything is implemented anywhere, but it seems to me that the NAT device could substitute it's own ICMP ID, which it saves in a state table associated with the sending IP. When the ICMP reply returns it would then put the original ICMP id back. This scheme swaps ICMP IDs in a fashion analogous to the swapping of ports in TCP/UDP NAT port mapping. I imagine this would require another kind of pf translation declaration. Regards, Karl Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein P.S. I remain anxious to hear whether I'd be wasting my time pursuing inbound traffic bandwidth management. The thread is: http://marc.theaimsgroup.com/?t=112139406900001&r=1&w=2