On 30 May 2014 at 13:56, Sebastian Benoit wrote: > Marko Cupa??(marko.cu...@mimar.rs) on 2014.05.30 11:32:14 +0200: > > Hi, > > > > let's say for example I have web server on internal network, and I > > have redirected tcp port 80 from firewall to it: > > > > pass in on $ext_if inet proto tcp from any to $pub_web port 80 \ > > rdr-to $priv_web > > From the wording of your subject, i suspect you somehow think that rdr-to > has something to do with "icmp redirects", icmp messages with type 5. > > This is not so.
This is correct. > > Assuming that $pub_web ip address is used exclusively for web server > > access, and no other ports are redirected to other internal addresses, > > should I also redirect icmp: > > > > pass in on $ext_if inet proto icmp from any to $pub_web rdr-to > > $priv_web > > No. This is not entirely correct -- you *may* want to have the above redirect *if* you want external users to be able to ping the real web server to ascertain that it is up, in which case you probably want to limit icmp types to echo-request/echo-reply (you certainly do NOT want to pass through the icmp redirect or the many other routing controls).
