Greetings, Trying to replicate some functionality with PF that I had with a cisco asa. I'm trying to explicitly allow echo requests outbound and only echo replies inbound but it's not working. Here's my current rules for this, but I can't ping anything beyond the external interface though.
pass out quick on egress inet proto icmp icmp-type echoreq no state pass in quick on egress inet proto icmp icmp-type echorep no state block quick on egress inet proto icmp all If I remove the 'no state' part, I can ping, but I don't need the second line which I don't really understand why I don't. So I guess my questions are, why does the above ruleset not work, and why does it work if I remove 'no state' or use default of keep state but comment out the second rule? Shouldn't the echoreply packets be getting blocked on the way back in? What am I missing? Do i need to do something with NAT's? Thanks
