> > add 10510 allow icmp from any to any out via oif() keep-state > > I don't think ICMP is stateful :) > > You need both in and out rules for ICMP because the logical responses to > packets can't be reliably connected into a single communication.
Actually, I disagree. True, ICMP is not a stateful protocol; however, keep-state directive works for ICMP as well: ipfw add 99 allow icmp from me to 192.168.1.1 keep-state on "ping 192.168.1.1" creates the following dynamic rule: 00099 7 588 (5s) STATE icmp 192.168.1.2 0 <-> 192.168.1.1 0 On a side note, the validity interval of this rule is controlled by net.inet.ip.fw.dyn_short_lifetime sysctl variable and is in the above case set to 5 seconds (default is 30). Regards, -- Nino _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
