ipfw -- why need to let icmp out that I already let in?

[Dan Nelson]

In the last episode (Oct 31), Ivan Voras said:
> freebsd at dreamchaser.org wrote:
> 
> > add 10510 allow icmp from any to any out via oif() keep-state
> 
> I don't think ICMP is stateful :)
> 
> You need both in and out rules for ICMP because the logical responses
> to packets can't be reliably connected into a single communication.

I use "allow icmp from any to any icmptypes 0,3,11,12 in"

those types being "echo reply", "destination unreachable",
"time-to-live exceeded", and "IP header bad".

-- 
	Dan Nelson
	dnelson at allantgroup.com