Re: icmp problem

From: Arne (arne_woerner_at_yahoo.com)
Date: 05/11/05

  • Next message: Drew B. [Security Expertise/Freelance Security research].: "RE: Mozilla 1.0.4 security update (Just install it, will keep all settings) + Important note from me,please read,those uninterested,please dont flame ;)"
    Date: Wed, 11 May 2005 13:57:23 -0700 (PDT)
    To: george roman <thewolfro@yahoo.com>, freebsd-security@freebsd.org
    
    

    --- george roman <thewolfro@yahoo.com> wrote:
    > hi i have a problem with my icmp, i have a router that
    > performs nat. i cannot ping to internet hosts from
    > more than one stations situated behind NAT at once. if
    > i want to ping from another station i have to stop the
    > ping that was initiated from the first host, and after
    > a few seconds i can ping from another station.i've
    > checked firewll and i have no ipfw rules that could
    > stop icmp traffic. where should i continue my search
    > and what can i do to resolv this problem. i really
    > have to get ping wrking from more than one stations at
    > once.
    >
    Hi!

    I would guess, that ICMP packets do not have a port number (just a
    request/response id), so that the NAT cannot distinguish multiple
    ICMP packet sources (I mean: The response from the ICMP requestee
    cannot be mapped back to the appropriate ICMP requester).

    Hmm... I just think, that (if you have multiple ICMP requestees)
    the NAT could be able to map back the ICMP requester IP by the IP
    of the ICMP requestee. But I do not know, how your router works...

    Maybe your computer-pool could elect an ICMP-master, who
    coordinates all the ICMP traffic through the NAT.

    Bye
    Arne

                    
    __________________________________
    Yahoo! Mail Mobile
    Take Yahoo! Mail with you! Check email on your mobile phone.
    http://mobile.yahoo.com/learn/mail
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Drew B. [Security Expertise/Freelance Security research].: "RE: Mozilla 1.0.4 security update (Just install it, will keep all settings) + Important note from me,please read,those uninterested,please dont flame ;)"

    Relevant Pages

    • Re: Removing ping/icmp from a network
      ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
      (Security-Basics)
    • RE: ICMP (Ping)
      ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
      (Security-Basics)
    • Re: Dropping ping at peak times
      ... an overview of all the monitoring at peak times, ... so ICMP is apparently not a useful ... As a general rule though blocking ping stinks. ... router doesn't help in the slightest. ...
      (uk.telecom.broadband)
    • Re: help with network problem
      ... I can browser the site using http in all the other computers. ... >While ping serves to test tcp/ip connectivity, ... ICMP messages, delivered in ... >> (Only that website so far). ...
      (Security-Basics)