[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] multiple ping problems
 Date:  Fri, 28 May 2004 13:57:57 -0700 (PDT)
On Thu, 27 May 2004, Mitch (WebCob) wrote:

> > Although ICMP doesn't use "port numbers", the request and reply forms have
> > a 16-bit "ID", which is conceptually more or less equivalent to the
> > TCP/UDP originating port number, and should be treated as such by NAT
> > (including possibly remapping it to avoid conflicts).  Any NAT
> > implementation that doesn't do this is broken.
> >
> > ICMP *errors* have no ID, but should be demultiplexed on the basis of the
> > embedded IP header from the associated *outgoing* packet.
> Sounds like you've got a point to me, but unless the limitation on mono is
> specific to mono, you are probably better off raising that issue with natd -
> cause I guess everyone has the problem then eh?

Yes, I know that it isn't a m0n0wall-specific issue.  I just didn't want
to let Manuel get away with suggesting that there's anything remotely
reasonable about the deficiency. :-)

> Could it have something to do with setting a keepstate rule on the icmp
> rules? Doing that on udp makes it remember and reverse the path for dns
> query returns etc - right?

"Keep state" is an option for *firewall* rules, not NAT rules.  NAT
*always* "keeps state", since it would be mostly useless otherwise.

					Fred Wright