You didn't muddy them half as much as I did! I think mine ranks up with my most inaccurate post ever. Unfortunately, I answered with the junk that I had in my mind, which for creating access-lists and configuring firewall rule bases has always been close enough to allow things to work (even if totally for the wrong reasons). As soon as I read John's post I realised what an arse I'd made of it.
I will take a severe hand smacking for that one. Lesson learnt - get the facts right - don't guess. But maybe my totally incorrect answer induced John to shoot me down with a decent answer. I'll console myself with that. I've now read the RFC. John Nemeth, you're a cruel man, and I totally deserved it ;-) Joe Bloggs (Definitely not Gaz anyway) ""Jeremy"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think it relates to the fact that ICMP uses TYPES rather than PORTS. > Though it still uses source and destination IP address, ports are not used, > so the whole source port thing doesn't really make sense with ICMP. There > really is no "source type", so they don't have granularity on the source > address. Make Sense? Or did I muddy the waters further? > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, April 25, 2002 5:29 PM > To: [EMAIL PROTECTED] > Subject: Re: Why does IOS only allow ICMP granularity on "destination" > [7:42618] > > > On Sep 15, 12:40pm, "Gaz" wrote: > } > } I don't think you will see the source as echo reply. By that, I mean that > } the echo reply will only be evident in the destination. The source could > be > } any port. > > ICMP does not have "port"s; therefore, this statement is > non-sensical. > > } Remember ICMP is the odd protocol, which has to be allowed both ways > through > } a firewall, because the reply is a totally separate session. > > ICMP is a connectionless protocol; therefore, there is nu such > thing as a "session". > > } If you telnet from A to B. The destination port is 23. In the reply from B > } to A 'source' port is 23. > > Telnet uses TCP. There is no comparison. > > } If you use ping though for example, from A to B. The destination will be > } echo. In the reply from B to A, the source will not be 'echo' it could be > } anything. The important part will be the destination port which is > } 'echo-reply'. > > ICMP does not have "port"s. It has "type"s and "code". Echo is > type 8 and Echo Reply is type 0. Neither one uses codes, so the code > is 0. The only information as to the source of an ICMP message is the > IP address. As I said to the other guy, go read RFC 792 (especially > before answering any more questions about it). > > } Hope I haven't confused. Hope even more that I haven't errored. > > You have errored. Go read the RFC, it is a simple one and will > get you into the habit of going to the source when conducting your > research. > > }-- End of excerpt from "Gaz" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42662&t=42662 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
