pf, ping and traceroute

Miroslav Lachman 000.fbsd at
Tue Sep 11 07:44:33 PDT 2007

jonathan michaels wrote:
> On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote:
> yes, kian, my basic problem is that english is not my first language
> and i still have difficulty understanding the way that teh document is
> written.

Even if you are not native english speaking, please use "the" and not 
"teh". It is hard to read your sentences.

>>Focus on understanding how the directions work (e.g. pass in vs. pass
>>out) and also 'keep state.'  Understanding states is critical... have
>>you figured out how those work yet?
> i think that i have .. but, i have a way to go yet i think. learning
> for me is a hard process of reading and reading and reading untill i
> understand it and i can get it past teh damaged bits of my brain.
> sorry, i don't have any other way of explaining what is going on.

I am using PF on my servers and I am using the folowing two lines to 
allow incoming & outgoing pings:

# Allow pings and replies while keeping state
pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state

Where $ext_if is ext_if="bge0"

>>Are you filtering on a router? Switch? Server?
> pentium 133 mhz that is running freebsd v6.2 and i am using the
> included version pf. so i suppose that it is a server, yes ??
> my internet connection is via a v.90 dialup modem that provides me a
> permanent connected ppp style connection/account (been using some 10
> plus years).
> ext_if=ppp0	= this is teh modem, on serial (comm0/cuad0 ) port 1
> int_if=de0	= nic, accton en1203 21040 (a digital 10 mhz clone)
> this is all that that there is, so i suppose its a simple router ??
> i am thinking of using pf to defend all teh internal machines from
> stuff that makes it through the firewall, is this possible (there seems
> to be nothing, that i have been able to find/understand in teh doc or
> via google) ??
> this means that i am looking at using ipfw as a secondary firewall, or
> just as a filter kind of thing to keep out the stuff that is making it
> through the firewall.

I don't understand what do you mean...
There is no reason to use more then one firewall on the machine and PF 
is just fine.

Miroslav Lachman

More information about the freebsd-pf mailing list