[BBLISA] Amazon EC2 Oddly Rejecting Very Specific IP Addresses
Dean Anderson
dean at av8.com
Wed Apr 14 11:33:02 EDT 2010
On Tue, 13 Apr 2010, Bill Bogstad wrote:
> On Tue, Apr 13, 2010 at 4:19 PM, Dean Anderson <dean at av8.com> wrote:
> > The NAT _could_ statefully translate the ICMP packet addresses and
> > return the responses, but most NATs it seems also block ICMP. That's why
> > ICMP is failing at the first hop. But the solution is as Theo
> > describes. The customer needs a public IP that doesn't block ICMP.
>
> Really? I'm not sure that I've ever seen a deployed NAT which worked
> this way. Even the cheap $30 wireless router/NAT boxes support both
> support NATed ping and traceroute in my experience.
Yes. But some won't, and don't/didn't have an option to turn it on/off.
'bad nat' is a frequent topic in some places. But I don't think this is
usually the problem, anymore. But NATs have evolved, and the problems of
NATs are not nearly as bad as they once were.
> Are you sure this isn't just 'network experts' who configure their
> firewalls to drop all ICMP because that's only used by hackers?
Yeah. Foolish intentional blocking of ICMP out of ignorance is probably
the biggest problem. And of course, its the root problem in the 'bad
nat' case, too.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 256 5494
More information about the bblisa
mailing list