Re: icmp problem

From: Arne (arne_woerner_at_yahoo.com)
Date: 05/11/05

  • Next message: Drew B. [Security Expertise/Freelance Security research].: "RE: Mozilla 1.0.4 security update (Just install it, will keep all settings) + Important note from me,please read,those uninterested,please dont flame ;)" 
    Date: Wed, 11 May 2005 13:57:23 -0700 (PDT)
To: george roman <thewolfro@yahoo.com>, freebsd-security@freebsd.org

    --- george roman <thewolfro@yahoo.com> wrote:
    > hi i have a problem with my icmp, i have a router that
    > performs nat. i cannot ping to internet hosts from
    > more than one stations situated behind NAT at once. if
    > i want to ping from another station i have to stop the
    > ping that was initiated from the first host, and after
    > a few seconds i can ping from another station.i've
    > checked firewll and i have no ipfw rules that could
    > stop icmp traffic. where should i continue my search
    > and what can i do to resolv this problem. i really
    > have to get ping wrking from more than one stations at
    > once.
    >
    Hi!

    I would guess, that ICMP packets do not have a port number (just a
    request/response id), so that the NAT cannot distinguish multiple
    ICMP packet sources (I mean: The response from the ICMP requestee
    cannot be mapped back to the appropriate ICMP requester).

    Hmm... I just think, that (if you have multiple ICMP requestees)
    the NAT could be able to map back the ICMP requester IP by the IP
    of the ICMP requestee. But I do not know, how your router works...

    Maybe your computer-pool could elect an ICMP-master, who
    coordinates all the ICMP traffic through the NAT.

    Bye
    Arne

                    
    __________________________________
    Yahoo! Mail Mobile
    Take Yahoo! Mail with you! Check email on your mobile phone.
    http://mobile.yahoo.com/learn/mail
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Drew B. [Security Expertise/Freelance Security research].: "RE: Mozilla 1.0.4 security update (Just install it, will keep all settings) + Important note from me,please read,those uninterested,please dont flame ;)"

    Relevant Pages

    • Re: Removing ping/icmp from a network
      ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
      (Security-Basics)
    • RE: ICMP (Ping)
      ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
      (Security-Basics)
    • Re: help with network problem
      ... I can browser the site using http in all the other computers. ... >While ping serves to test tcp/ip connectivity, ... ICMP messages, delivered in ... >> (Only that website so far). ...
      (Security-Basics)
    • AW: ICMP (Ping)
      ... > someone's going to randomly probe for IP's to just randomly attack. ... radar if someone is just ping sweeping net blocks. ... > annoyed at how many hosts do not respond to ICMP echo. ...
      (Security-Basics)
    • Re: Keine ICMP Replys mit NAT unter Windows 2003 Server SR2
      ... das allgemein bei NAT ICMP Pakete gedropped werden? ... Ich kenne das Windows NAT jetzt nicht live aber wenn es das macht, ... funktioniert, sollte es Ping auch. ...
      (microsoft.public.de.german.windows.server.networking)