Bridging again
Gergo Szakal
bastyaelvtars at gmail.com
Tue Sep 26 04:37:51 PDT 2006
Emiel Kollof wrote:
I would definately allow ICMP, because ICMP is just necessary. If you don't
want ping to work, just disallow icmp echo and reply.
Again: that config works on OpenBSD 3.8, just we cannot ping, but other
ICMP works. This is from the PF users' guide:
'Another advantage of keeping state is that corresponding ICMP traffic
will be passed through the firewall. For example, if keep state is
specified for a TCP connection and an ICMP source-quench message
referring to this TCP connection arrives, it will be matched to the
appropriate state entry and passed through the firewall.'
http://www.openbsd.org/faq/pf/filter.html
More information about the Users
mailing list