On 22/11/2019 06:19, Victor Sudakov wrote:
2. ICMP traffic in any direction
Sounds like a bad idea. Why would you do it?
Well, for example, if a host in $inside_net sends a UDP datagram to a
host in $dmz_net which generates an ICMP port unreachable message, I
want the host in $inside_net to actually receive the message. If pf is
THAT stateful and smart, then this rule is not necessary.
I believe that pf is clever enough to pass ICMP messages associated with
a TCP or UDP connection for which it already has an established state
without needing any specific additional rules.
BICBW.
Cheers,
Matthew
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
