On 2015-09-04, Joseph Borg <[email protected]> wrote:
> this doesn’t work:
> pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
> these work:
> pass out on $DMZ_if inet proto icmp from 192.168.2.1
> pass out on $DMZ_if inet proto icmp icmp-type echoreq
Simply searching for "icmp-type" in the pf.conf(5) man page turns up
these example lines
pass out inet proto icmp all icmp-type echoreq
pass on $ext_if inet proto icmp all icmp-type 8 code 0
In the grammar section, we find
pf-rule = action [ ( "in" | "out" ) ]
[ "log" [ "(" logopts ")"] ] [ "quick" ]
[ "on" ( ifspec | "rdomain" number ) ] [ af ]
[ protospec ] hosts [ filteropts ]
filteropt = user | group | flags | icmp-type | icmp6-type |
"tos" tos |
[...]
which makes it clear that host addresses like "from 192.168.2.1"
must precede "icmp-type".
> Suggestion: can we have a wiki where we can post user examples
> of configuration snippets of the various system services and discuss
> them?
If you are already overwhelmed by the existing documentation, how
will adding even more text help?
--
Christian "naddy" Weisgerber [email protected]
