Date: Mon, 4 Dec 2006 14:13:31 -0600 From: "Travis H." <travis@subspacefield.org> To: freebsd-pf@freebsd.org Subject: Re: opinion on this ruleset Message-ID: <20061204201331.GA25039@subspacefield.org> In-Reply-To: <20061130174045.GA73984@harmless.hu> References: <20061130173504.CD06C43CBA@mx1.FreeBSD.org> <20061130174045.GA73984@harmless.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 30, 2006 at 06:40:45PM +0100, Gergely CZUCZY wrote: > ($ext_if) translates to an ip address of the interface, > and not to all addresses on the interface. Are you sure? To get a single address, I use ($ext_if:0). > > pass in inet proto icmp all icmp-type $icmp_types keep state > wrong. > use this: > pass in on $ext_if proto icmp > > if you wonder why, read the openbsd's FAQ on pf. or just google for it I've read the FAQ several times and don't remember this. I filter all ICMP _queries_ inbound, and ICMP _responses_ outbound, and have never had a problem. What exactly should we be googling for, other than "pf icmp"? -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez <URL:http://www.subspacefield.org/~travis/>; -><-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061204201331.GA25039>