On Mon, 18 Dec 2006 00:34:20 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:
>
> You don't use icmp echo-request for your network operations? Do you
> think you're gaining something by filtering ping on your firewall?
>
Amen... obey RFC 1122.
3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that
receives Echo Requests and sends corresponding Echo Replies.
A host SHOULD also implement an application-layer interface
for sending an Echo Request and receiving an Echo Reply, for
diagnostic purposes.
An ICMP Echo Request destined to an IP broadcast or IP
multicast address MAY be silently discarded.
Use something along the line of:
pass in inet proto icmp all icmp-type $icmp_types keep state
in pf.conf
Fer instance, note the recent journal on undeadly.org about the max
states DNS problem. ICMP helped there. It's nice to be able to diagnose
connectivity with as many tools as possible.
Travers Buda
