Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Sep 2006 05:46:01 -0700
From:      "John Archambeau" <jcarchambeau@gmail.com>
To:        "Matthew Seaman" <m.seaman@infracaninophile.co.uk>
Cc:        Remko Lodder <remko@freebsd.org>, freebsd-doc@freebsd.org
Subject:   Re: docs/101114: icmptype names not in icmp(4) manpage
Message-ID:  <b17ab3230609060546o6717d24ar2be845e07f83e975@mail.gmail.com>
In-Reply-To: <44FE6068.5000801@infracaninophile.co.uk>
References:  <200609051159.k85BxO6H049544@freefall.freebsd.org> <b17ab3230609051252u3aa5771ct38a4782f4c0a5cc1@mail.gmail.com> <44FE6068.5000801@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help 
I must be one of the few people who rtfm's first.  The Free/OpenBSD
pf.conf manpage implies that number codes won't work but the icmptype
abbreviations will.  Also consider the output you get from pfctl
-s[ar] which is in the OpenBSD icmptype abbreviation, not the number
code.  Another ambiguity of filtering icmp traffic with the pf.conf
manpage that should be addressed especially for those of us that
migrate from ipfw to pf.

On 9/5/06, Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote:
> John Archambeau wrote:
>
> > To create a pf.conf file (see man pf.conf) properly for filtering of
> > icmp, you must specify the icmptype(s) by abbreviation per the OpenBSD
> > icmp(4) manpage you wish to filter.  It's not like ipfw where you can
> > specify the icmptype by number, it must be the type by the
> > abbreviation as specified as by the OpenBSD manpage for icmptypes.
>
> Are you sure about that?
>
> happy-idiot-talk:/etc:% uname -a
> FreeBSD happy-idiot-talk.infracaninophile.co.uk 6.1-STABLE FreeBSD 6.1-STABLE #6: Mon Aug 28 14:01:08 BST 2006     root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK  i386
> happy-idiot-talk:/etc:% cat pf.conf
>
> icmp_types="{ 0 3 8 11 }"
>
> scrub in
> pass all
>
> pass inet proto icmp all icmp-type $icmp_types keep state
>
> happy-idiot-talk:/etc:% sudo pfctl -f pf.conf
> happy-idiot-talk:/etc:% sudo pfctl -sr
> scrub in all fragment reassemble
> pass all
> pass inet proto icmp all icmp-type echorep keep state
> pass inet proto icmp all icmp-type unreach keep state
> pass inet proto icmp all icmp-type echoreq keep state
> pass inet proto icmp all icmp-type timex keep state
>
>
>         Cheers,
>
>         Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
>                                                       Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
>                                                       Kent, CT11 9PW
>
>
>
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b17ab3230609060546o6717d24ar2be845e07f83e975>