On Thu, 27 May 2004, Mitch (WebCob) wrote:

> > Although ICMP doesn't use "port numbers", the request and reply forms have
> > a 16-bit "ID", which is conceptually more or less equivalent to the
> > TCP/UDP originating port number, and should be treated as such by NAT
> > (including possibly remapping it to avoid conflicts).  Any NAT
> > implementation that doesn't do this is broken.
> >
> > ICMP *errors* have no ID, but should be demultiplexed on the basis of the
> > embedded IP header from the associated *outgoing* packet.
> 
> Sounds like you've got a point to me, but unless the limitation on mono is
> specific to mono, you are probably better off raising that issue with natd -
> cause I guess everyone has the problem then eh?

Yes, I know that it isn't a m0n0wall-specific issue.  I just didn't want
to let Manuel get away with suggesting that there's anything remotely
reasonable about the deficiency. :-)

> Could it have something to do with setting a keepstate rule on the icmp
> rules? Doing that on udp makes it remember and reverse the path for dns
> query returns etc - right?

"Keep state" is an option for *firewall* rules, not NAT rules.  NAT
*always* "keeps state", since it would be mostly useless otherwise.

					Fred Wright