On Thu, Nov 30, 2006 at 06:40:45PM +0100, Gergely CZUCZY wrote: > ($ext_if) translates to an ip address of the interface, > and not to all addresses on the interface.
Are you sure? To get a single address, I use ($ext_if:0). > > pass in inet proto icmp all icmp-type $icmp_types keep state > wrong. > use this: > pass in on $ext_if proto icmp > > if you wonder why, read the openbsd's FAQ on pf. or just google for it I've read the FAQ several times and don't remember this. I filter all ICMP _queries_ inbound, and ICMP _responses_ outbound, and have never had a problem. What exactly should we be googling for, other than "pf icmp"? -- "Cryptography is nothing more than a mathematical framework for discussing various paranoid delusions." -- Don Alvarez <URL:http://www.subspacefield.org/~travis/> -><- _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
