Date: Fri, 13 May 2005 09:33:08 +0300 (EEST)
From: BigBrother-{BigB3} <bigbrother@bonbon.net>
Cc: freebsd-security@freebsd.org
Subject: Re[2]: icmp problem
Message-ID: <20050513092907.J73276@bigb3server.bbcluster.gr>
In-Reply-To: <1682287017.20050513100245@625.ru>
References: 6667 <20050511205723.48284.qmail@web41210.mail.yahoo.com> <1682287017.20050513100245@625.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 13 May 2005, Danil V. Gerun wrote: > > AW> I would guess, that ICMP packets do not have a port number (just a > AW> request/response id), so that the NAT cannot distinguish multiple > AW> ICMP packet sources (I mean: The response from the ICMP requestee > AW> cannot be mapped back to the appropriate ICMP requester). > > AW> Hmm... I just think, that (if you have multiple ICMP requestees) > AW> the NAT could be able to map back the ICMP requester IP by the IP > AW> of the ICMP requestee. But I do not know, how your router works... > > AW> Maybe your computer-pool could elect an ICMP-master, who > AW> coordinates all the ICMP traffic through the NAT. > > AW> Bye > AW> Arne > > In my NATED (ipfw+natd) lan EVERY internal host (192.168.XX) can ping simultaneously any external host and ALL getting their proper ICMP replies. If you have a straightforward setup you wont have any problems. Just try a simple test...Run ipfw with one divert rule only, and the "natd" application and see what happens if you ping. I think that you are using some limiters in your ipfw rules. Rgz, BB --- Dreams have no limits!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050513092907.J73276>