docs/101114: icmptype names not in icmp(4) manpage

John Archambeau jcarchambeau at gmail.com
Tue Sep 5 19:53:24 UTC 2006 

I draw your attention to the following paragraph on the manpage for pf.conf (5);

icmp-type _type_ code _code_

icmp6-type _type_ code _code_
	   This rule only applies to ICMP or ICMPv6 packets with the specified
	   type and code.  Text names for ICMP types and codes are listed in
	   icmp(4) and icmp6(4).  This parameter is only valid for rules that
	   cover protocols ICMP or ICMP6.  The protocol and the ICMP type
	   indicator (icmp-type or icmp6-type) must match.

To create a pf.conf file (see man pf.conf) properly for filtering of
icmp, you must specify the icmptype(s) by abbreviation per the OpenBSD
icmp(4) manpage you wish to filter.  It's not like ipfw where you can
specify the icmptype by number, it must be the type by the
abbreviation as specified as by the OpenBSD manpage for icmptypes.
Since the pf.conf manpage references the icmptype abbrevations used by
both FreeBSD and OpenBSD, the icmp manpage should be the same for both
with the icmptype abbreviations.

Also if you do a pfctl -sr on a machine running pf instead of ipfw to
look at your ruleset, your icmp rules are listed by the icmptype
abbreviation in the OpenBSD icmp(4) manpage, not the number as ipfw
does.  Therefore since it's  appears to be an integral requirement of
pf, pfctl and pf.conf to reference icmp packets by their type
abbreviation the FreeBSD icmp(4) manpage should be updated to reflect
this.

Here's the output of pfctl -sr with the icmp rules outlined from one
of my firewall machines running FreeBSD 6.1;

pass in log-all on fxp1 inet proto icmp all icmp-type echorep keep state
pass in log-all on fxp1 inet proto icmp all icmp-type unreach keep state
pass in log-all on fxp1 inet proto icmp all icmp-type squench keep state
pass in log-all on fxp1 inet proto icmp all icmp-type timex keep state
pass in log-all on fxp1 inet proto icmp all icmp-type paramprob keep state

Note they are by icmptype abbreviation and NOT number code as ipfw has them.

On 9/5/06, Remko Lodder <remko at freebsd.org> wrote:
> Synopsis: icmptype names not in icmp(4) manpage
>
> State-Changed-From-To: open->feedback
> State-Changed-By: remko
> State-Changed-When: Tue Sep 5 11:57:04 UTC 2006
> State-Changed-Why:
> Hello,
>
> After looking into the ICMP man page you described, I am not
> very sure whether your information should be there at all.
>
> It specifically mentions the kernel interface and there
> is no need to have your ICMP information there.
>
> That the manual page of pf.conf refers to this section
> might be a left over from OpenBSD.
>
> What do others on the list think about this and what does
> the submitter think about this?
>
> Mark the PR into feedback mode for this.
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=101114
>

More information about the freebsd-doc mailing list