From owner-freebsd-pf@FreeBSD.ORG  Mon Dec  4 20:13:36 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4A15816A47E
	for <freebsd-pf@freebsd.org>; Mon,  4 Dec 2006 20:13:36 +0000 (UTC)
	(envelope-from travis@subspacefield.org)
Received: from nexus.subspacefield.org (nexus.subspacefield.org [64.39.14.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 74C5243CAD
	for <freebsd-pf@freebsd.org>; Mon,  4 Dec 2006 20:12:57 +0000 (GMT)
	(envelope-from travis@subspacefield.org)
Received: by nexus.subspacefield.org (Postfix, from userid 1003)
	id D497A64F7A0; Mon,  4 Dec 2006 14:13:31 -0600 (CST)
Date: Mon, 4 Dec 2006 14:13:31 -0600
From: "Travis H." <travis@subspacefield.org>
To: freebsd-pf@freebsd.org
Message-ID: <20061204201331.GA25039@subspacefield.org>
Mail-Followup-To: freebsd-pf@freebsd.org
References: <20061130173504.CD06C43CBA@mx1.FreeBSD.org>
	<20061130174045.GA73984@harmless.hu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20061130174045.GA73984@harmless.hu>
X-GPG-fingerprint: A04E 557F F9A6 F0FD EFD4  0DF3 6415 6591 0326 DF47
User-Agent: Mutt/1.5.11
Subject: Re: opinion on this ruleset
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Dec 2006 20:13:36 -0000

On Thu, Nov 30, 2006 at 06:40:45PM +0100, Gergely CZUCZY wrote:
> ($ext_if) translates to an ip address of the interface,
> and not to all addresses on the interface.

Are you sure?  To get a single address, I use ($ext_if:0).

> > pass in inet proto icmp all icmp-type $icmp_types keep state
> wrong.
> use this:
> pass in on $ext_if proto icmp
> 
> if you wonder why, read the openbsd's FAQ on pf. or just google for it

I've read the FAQ several times and don't remember this.
I filter all ICMP _queries_ inbound, and ICMP _responses_ outbound,
and have never had a problem.

What exactly should we be googling for, other than "pf icmp"?
-- 
"Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions." -- Don Alvarez
<URL:http://www.subspacefield.org/~travis/> -><-