The firewall state allows ICMP responses that match an existing state. For example, echo replies that match a permitted echo request, ICMP responses to outgoing TCP connections, etc.
On 30 July 2016 05:08:29 BST, Aaron Hofer <[email protected]> wrote: >Greetings, > >Trying to replicate some functionality with PF that I had with a cisco >asa. I'm trying to explicitly allow echo requests outbound and only >echo >replies inbound but it's not working. Here's my current rules for >this, >but I can't ping anything beyond the external interface though. > >pass out quick on egress inet proto icmp icmp-type echoreq no state >pass in quick on egress inet proto icmp icmp-type echorep no state >block quick on egress inet proto icmp all > >If I remove the 'no state' part, I can ping, but I don't need the >second >line which I don't really understand why I don't. So I guess my >questions >are, why does the above ruleset not work, and why does it work if I >remove >'no state' or use default of keep state but comment out the second >rule? >Shouldn't the echoreply packets be getting blocked on the way back in? > >What am I missing? Do i need to do something with NAT's? > >Thanks
