[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pinging same host on the internet from two different LAN stations



Well FYI, 
the very same problem appear on czech openbsd mailing list. Reader did
complain that one windows station could ping through pf openbsd
firewall, but the second could not (see this
http://openbsd.cz/pipermail/users/2005-July/001051.html,  in czech
language however you could clearly spot "port" 512 used for icmp ping
in state table.
Petr R.
On 7/28/05, Melameth, Daniel D. <[email protected]> wrote:
> Pejman Moghadam wrote:
> > Melameth, Daniel D. wrote :
> > > FWIW, while I haven't looked into this in detail, it appears Windows
> > > clients always use the same ICMP ID--512...
> >
> > I think this is right, beacuse of this state entry :
> >
> > self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512       0:0
> >
> > but i have not any problem with windows clients when i use ipfw in
> > freebsd or even iptables in linux.
> > why same ICMP ID(512) is so important for PF? how can i deal with
> > that ?
> 
> I don't know the specifics of any other these packet filters and haven't
> looked at any code, but I'd speculate that ipfw and iptables are
> proxying these ICMP IDs in some capacity similar to the way TCP ports
> are proxied and pf is just using the ICMP ID that is provided by the
> client.
> 
> Then again, I could be very wrong.
> 
> Danny
>