On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
pass in inet proto icmp all icmp-type $icmp_types keep state
This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad.
As for your question, only allow internal devices to do what you want and deny the rest. rdr requests to external web servers on port 80 to your transparent/filtering proxy.
-Chad
