icmp block/pass rules in PF

Joseph A Borg Thu, 03 Sep 2015 03:02:07 -0700

am I being daft on this one?

pfctl passes a syntax check on a rule such as
this:


passÂ   out on $DMZ_if                                                          
        \
                inet proto icmp                 Â                       Â       
                \
                from
192.168.99.68

Â but not this:
passÂ   out on $DMZ_if                                                          
        \
                inet proto
icmp icmp-type unreach                  Â               \
                from 192.168.99.68

this is ok:
passÂ   out on
$DMZ_if                                                                 \
                inet proto icmp icmp-type $icmp-type_list

I'm resorting
to having separate pass rules for localnet_if in and dmz_if out

is this ok?
am I missing something?

regards

icmp block/pass rules in PF

Reply via email to