[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] nat failing on simultaneous pings
 Date:  Fri, 23 Jul 2004 00:01:41 -0700 (PDT)
On Fri, 23 Jul 2004, Thomas Hertz wrote:
> Hello Brian,
> 
> This is actually the way NAT works, and it cannot work any other way. The
> ICMP protocol cannot in any way keep track of which ping reply belongs to
> which LAN computer in this situation. This is not FreeBSD-specific, but NAT
> specific in general.

No it's only specific to broken implementations.  ICMP requests and
replies have an ID field which can be handled in exactly the same way as
the originating port number in TCP/UDP traffic.  ICMP *errors* don't have
an ID, but they don't need it because they get demultiplexed on the basis
of the embedded partial IP packet.  IPFilter gets this latter part right,
except for screwing up the checksum in the current version.

					Fred Wright