Bridging again

Gergo Szakal bastyaelvtars at gmail.com
Tue Sep 26 03:04:39 PDT 2006


Tiv wrote:

I'm no expert, but unless you intend to block ICMP messages,
you just might want to use something like this...
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
If you can't ping/arp a host (icmp disabled), I'd think you'd have 
trouble connecting ssh...

When i block/filter icmp on a Cisco router I get this:

ssh: connect to host targa port 22: No route to host

...just something to consider.

No, I never had to explicitly allow ICMP on any of my firewalls, because 
stateful filtering takes care of internet connection messaging protocol 
as well. I only had to explicitly allow echo requests and echo replies. 
Otherwise I would have allowed ICMP.





More information about the Users mailing list