Re[2]: icmp problem

• Previous message: Drew B. [Security Expertise/Freelance Security research].: "Re: Do I have an infected init file?"
• In reply to: Arne : "Re: icmp problem"
• Next in thread: BigBrother-{BigB3}: "Re[2]: icmp problem"
• Reply: BigBrother-{BigB3}: "Re[2]: icmp problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 13 May 2005 10:02:45 +0400
To: freebsd-security@freebsd.org

Hello.

Another possible solution came to my mind this morning :)
ICMP doesn't have ports like TCP and UDP do, but it does have the
contents of the ICMP packets ;)

What if the contents of the ICMP Echo Request, sent by the gateway to
the Internet, is for example equal to:
SHA1 ( original private src_ip + some (constant) garbage )
It can be used like a NAT "port-table" by a "special" ping utility:
the real "private" sender gets all expected ICMP Replies.

Such ping utility might be found or created.
It would work with natd or with Netgraph (or with both :) ).

AW> I would guess, that ICMP packets do not have a port number (just a
AW> request/response id), so that the NAT cannot distinguish multiple
AW> ICMP packet sources (I mean: The response from the ICMP requestee
AW> cannot be mapped back to the appropriate ICMP requester).

AW> Hmm... I just think, that (if you have multiple ICMP requestees)
AW> the NAT could be able to map back the ICMP requester IP by the IP
AW> of the ICMP requestee. But I do not know, how your router works...

AW> Maybe your computer-pool could elect an ICMP-master, who
AW> coordinates all the ICMP traffic through the NAT.

AW> Bye
AW> Arne

-- 
Best regards, Danil V. Gerun.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Drew B. [Security Expertise/Freelance Security research].: "Re: Do I have an infected init file?"
• In reply to: Arne : "Re: icmp problem"
• Next in thread: BigBrother-{BigB3}: "Re[2]: icmp problem"
• Reply: BigBrother-{BigB3}: "Re[2]: icmp problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: icmp problem ... > more than one stations situated behind NAT at once. ... > i want to ping from another station i have to stop the ... > stop icmp traffic. ... The response from the ICMP requestee ... (FreeBSD-Security) Re: NAT help? ... > I have a firewall/router doing NAT, which works for machines behind ... > konqueror hangs too, so it seems to be NAT related. ... Because you block ICMP. ... (Fedora) Re: Why doesnt this NAT ping? ... I didn't know how to tell the difference between a lagit response packet ... ACL to control what gets outbound NATed by the LAN in the first place. ... As I posted before, this ACL, when used in an inside dest list / pool nat, ... was consistantly ignoring icmp echo destined for 6.22.8.115 ... (comp.dcom.sys.cisco) Re: unable to ping or connect to freebsd ... The network card get the ICMP ... > your fbsd box is acting as a router, why do you need NAT? ... (freebsd-net) Re: Keine ICMP Replys mit NAT unter Windows 2003 Server SR2 ... das allgemein bei NAT ICMP Pakete gedropped werden? ... Ich kenne das Windows NAT jetzt nicht live aber wenn es das macht, ... funktioniert, sollte es Ping auch. ... (microsoft.public.de.german.windows.server.networking)