On Mon, 18 Dec 2006 00:34:20 -0500 Jason Dixon <[EMAIL PROTECTED]> wrote:
> > You don't use icmp echo-request for your network operations? Do you > think you're gaining something by filtering ping on your firewall? > Amen... obey RFC 1122. 3.2.2.6 Echo Request/Reply: RFC-792 Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies. A host SHOULD also implement an application-layer interface for sending an Echo Request and receiving an Echo Reply, for diagnostic purposes. An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. Use something along the line of: pass in inet proto icmp all icmp-type $icmp_types keep state in pf.conf Fer instance, note the recent journal on undeadly.org about the max states DNS problem. ICMP helped there. It's nice to be able to diagnose connectivity with as many tools as possible. Travers Buda