thank you o great one… I am humbled by my total obliviousness.
> On 04 Sep 2015, at 21:43, Christian Weisgerber <[hidden email]> wrote:
> On 2015-09-04, Joseph Borg <[hidden email]> wrote:
>> this doesn’t work:
>> pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
>> these work:
>> pass out on $DMZ_if inet proto icmp from 192.168.2.1
>> pass out on $DMZ_if inet proto icmp icmp-type echoreq
> Simply searching for "icmp-type" in the pf.conf(5) man page turns up
> these example lines
> pass out inet proto icmp all icmp-type echoreq
> pass on $ext_if inet proto icmp all icmp-type 8 code 0
> In the grammar section, we find
> pf-rule = action [ ( "in" | "out" ) ]
> [ "log" [ "(" logopts ")"] ] [ "quick" ]
> [ "on" ( ifspec | "rdomain" number ) ] [ af ]
> [ protospec ] hosts [ filteropts ]
> filteropt = user | group | flags | icmp-type | icmp6-type |
> "tos" tos |
> which makes it clear that host addresses like "from 192.168.2.1"
> must precede "icmp-type".
>> Suggestion: can we have a wiki where we can post user examples
>> of configuration snippets of the various system services and discuss
> If you are already overwhelmed by the existing documentation, how
> will adding even more text help?
> Christian "naddy" Weisgerber [hidden email]