From owner-freebsd-security@FreeBSD.ORG Fri May 13 06:03:10 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E392716A4CE for ; Fri, 13 May 2005 06:03:10 +0000 (GMT) Received: from h2.prohosting.com.ua (h2.prohosting.com.ua [217.16.18.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DD7043D1D for ; Fri, 13 May 2005 06:03:10 +0000 (GMT) (envelope-from news@625.ru) Received: from [194.84.94.11] (helo=[192.168.5.24]) by h2.prohosting.com.ua with esmtpa (Exim 4.50 (FreeBSD)) id 1DWTGN-000PwY-AK for freebsd-security@freebsd.org; Fri, 13 May 2005 10:03:09 +0400 Date: Fri, 13 May 2005 10:02:45 +0400 From: "Danil V. Gerun" Organization: =?Windows-1251?Q?=CC=D3=CF_=E3=2E_=D1=EE=F7=E8_=22=C2=EE=E4=EE=EA=E0=ED?= =?Windows-1251?Q?=E0=EB=22_/_Water_Supply_and_Water_Treatment_Municipal?= =?Windows-1251?Q?_Unitary_Undertaking_of_city_Sochi?= X-Priority: 3 (Normal) Message-ID: <1682287017.20050513100245@625.ru> To: freebsd-security@freebsd.org In-Reply-To: <20050511205723.48284.qmail@web41210.mail.yahoo.com> References: 6667 <20050511205723.48284.qmail@web41210.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - h2.prohosting.com.ua X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [26 6] X-AntiAbuse: Sender Address Domain - 625.ru X-Source: X-Source-Args: X-Source-Dir: Subject: Re[2]: icmp problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Danil V. Gerun" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 06:03:11 -0000 Hello. Another possible solution came to my mind this morning :) ICMP doesn't have ports like TCP and UDP do, but it does have the contents of the ICMP packets ;) What if the contents of the ICMP Echo Request, sent by the gateway to the Internet, is for example equal to: SHA1 ( original private src_ip + some (constant) garbage ) It can be used like a NAT "port-table" by a "special" ping utility: the real "private" sender gets all expected ICMP Replies. Such ping utility might be found or created. It would work with natd or with Netgraph (or with both :) ). AW> I would guess, that ICMP packets do not have a port number (just a AW> request/response id), so that the NAT cannot distinguish multiple AW> ICMP packet sources (I mean: The response from the ICMP requestee AW> cannot be mapped back to the appropriate ICMP requester). AW> Hmm... I just think, that (if you have multiple ICMP requestees) AW> the NAT could be able to map back the ICMP requester IP by the IP AW> of the ICMP requestee. But I do not know, how your router works... AW> Maybe your computer-pool could elect an ICMP-master, who AW> coordinates all the ICMP traffic through the NAT. AW> Bye AW> Arne -- Best regards, Danil V. Gerun.