Passing ICMP through a firewall strongly depends on the proxy. ICMP does not have
ports so it can't use standard NAT techniques. What it does have is ICMP Identifier
and Sequence Number fields.
To allow simple pings with icmp echo is not to hard. One matches the identifier on
internal incoming echo request with identifier on external outgoing echo request and
returns equivalent echo replies. Since they are 2 separate transactions, you can have
different identifier values for each half of stream. TTL is meaningless, but that is
not that important for ping.
For tracert, one has a more difficult problem. The Identifier and sequence number
field are used by the client to order the sequence of packets (no ports, remember) so
they must be preserved But this causes a problem with matching internal packets with
outgoing packets. It probably could be done, but with much more difficulty than just a
one to one sequence as in ping.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of John Alexander
Sent: Tuesday, October 24, 2000 17:20
To: [EMAIL PROTECTED]
Subject: ICMP and Gauntlet 5.0
I'm running Gauntlet 5.0 on NT. Dynamic nat from a non-routable
to a single external I.P. address.
I have packet filtering passing icmp echo just fine for outbound
pings and returning the echos, but tracert doesn't return the hops.
I know that this is a matter of the responding IP (with ttl expired) is
not the original destination, but how do I get the firewall to pass
these through to the originator of the tracert?
Bet it's really simple, too.
John Alexander
Silver Spring, MD
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
