On Fri, 23 Jul 2004, Thomas Hertz wrote:
> Hello Brian,
> This is actually the way NAT works, and it cannot work any other way. The
> ICMP protocol cannot in any way keep track of which ping reply belongs to
> which LAN computer in this situation. This is not FreeBSD-specific, but NAT
> specific in general.
No it's only specific to broken implementations. ICMP requests and
replies have an ID field which can be handled in exactly the same way as
the originating port number in TCP/UDP traffic. ICMP *errors* don't have
an ID, but they don't need it because they get demultiplexed on the basis
of the embedded partial IP packet. IPFilter gets this latter part right,
except for screwing up the checksum in the current version.