Ben Nagy wrote: > > G'day, > > I was just testing some strange NAT stuff, and I noticed that both > NT4 and Linux (2.2.14) don't seem to care about source IP addresses > for ICMP echo-replies. > > For example, sitting on the outside, I would ping an inside host, > and the reply would come back from the outside IP address of the > router. Ping, however, didn't care and reported 0% packet loss. > > Has anyone else noticed this? Is it just me, or is that a bizarre > implementation choice? It certainly gave me the absolute "what the > (*^(&???" heebie-jeebies. It's just you, Ben. Lay off the Australian table wines... ;) ICMP is a connectionless protocol (so sayeth the Gospel according to St. Stevens), so what you see kinda follows, no? ICMP gets put off to the side and slightly above IP in the general layering scheme of things, but it inherits the unreliable, connectionless nature of IP. So even the merest act of checking the source IP address of an incoming packet to see if it's a "reply", is a blasphemous Act of Statefulness. Now, given you don't have sequence numbers or anything else to provide state which allows an application like ping to understand what's a reply, but you need the concept of a reply w/an ICMP function like ping, ICMP has Identifier fields in the Message portion of the ICMP packet, for those ICMP functions requiring responses. These ID fields are arbitrary #'s that just provide the notion of the "reply". That's all the application needs--it doesn't care about IP addresses, it just wants that ID #. So that's what you're seeing. Michael - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
