opinion on this ruleset
Travis H.
travis at subspacefield.org
Mon Dec 4 12:13:36 PST 2006
On Thu, Nov 30, 2006 at 06:40:45PM +0100, Gergely CZUCZY wrote:
> ($ext_if) translates to an ip address of the interface,
> and not to all addresses on the interface.
Are you sure? To get a single address, I use ($ext_if:0).
> > pass in inet proto icmp all icmp-type $icmp_types keep state
> wrong.
> use this:
> pass in on $ext_if proto icmp
>
> if you wonder why, read the openbsd's FAQ on pf. or just google for it
I've read the FAQ several times and don't remember this.
I filter all ICMP _queries_ inbound, and ICMP _responses_ outbound,
and have never had a problem.
What exactly should we be googling for, other than "pf icmp"?
--
"Cryptography is nothing more than a mathematical framework for
discussing various paranoid delusions." -- Don Alvarez
<URL:http://www.subspacefield.org/~travis/> -><-
More information about the freebsd-pf
mailing list