icmp block/pass rules in PF

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

icmp block/pass rules in PF

Joseph Borg
thank you o great one… I am humbled by my total obliviousness.


> On 04 Sep 2015, at 21:43, Christian Weisgerber <[hidden email]> wrote:
>
> On 2015-09-04, Joseph Borg <[hidden email]> wrote:
>
>> this doesn’t work:
>> pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
>> these work:
>> pass out on $DMZ_if inet proto icmp from 192.168.2.1
>> pass out on $DMZ_if inet proto icmp icmp-type echoreq
>
> Simply searching for "icmp-type" in the pf.conf(5) man page turns up
> these example lines
>
>   pass out inet proto icmp all icmp-type echoreq
>
>   pass on $ext_if inet proto icmp all icmp-type 8 code 0
>
> In the grammar section, we find
>
>    pf-rule        = action [ ( "in" | "out" ) ]
>                     [ "log" [ "(" logopts ")"] ] [ "quick" ]
>                     [ "on" ( ifspec | "rdomain" number ) ] [ af ]
>                     [ protospec ] hosts [ filteropts ]
>
>    filteropt      = user | group | flags | icmp-type | icmp6-type |
>                     "tos" tos |
>    [...]
>
> which makes it clear that host addresses like "from 192.168.2.1"
> must precede "icmp-type".
>
>> Suggestion: can we have a wiki where we can post user examples
>> of configuration snippets of the various system services and discuss
>> them?
>
> If you are already overwhelmed by the existing documentation, how
> will adding even more text help?
>
> --
> Christian "naddy" Weisgerber                          [hidden email]