On 30 May 2014 19:13, System Administrator <ad...@bitwise.net> wrote:
> On 30 May 2014 at 13:56, Sebastian Benoit wrote: > > > Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200:> > > Assuming that $pub_web ip address is used exclusively for web server > > > access, and no other ports are redirected to other internal addresses, > > > should I also redirect icmp: > > > > > > pass in on $ext_if inet proto icmp from any to $pub_web rdr-to > > > $priv_web > > > > No. > > This is not entirely correct -- you *may* want to have the above > redirect *if* you want external users to be able to ping the real web > server to ascertain that it is up, in which case you probably want to > limit icmp types to echo-request/echo-reply (you certainly do NOT want > to pass through the icmp redirect or the many other routing controls). > Or if you're concerned about the the ICMP messages related to PMTUd, they're automatically forwarded as part of the connection state tracking IIRC. -André
