thank you o great one… I am humbled by my total obliviousness.
> On 04 Sep 2015, at 21:43, Christian Weisgerber <[email protected]> wrote: > > On 2015-09-04, Joseph Borg <[email protected]> wrote: > >> this doesn’t work: >> pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1 >> these work: >> pass out on $DMZ_if inet proto icmp from 192.168.2.1 >> pass out on $DMZ_if inet proto icmp icmp-type echoreq > > Simply searching for "icmp-type" in the pf.conf(5) man page turns up > these example lines > > pass out inet proto icmp all icmp-type echoreq > > pass on $ext_if inet proto icmp all icmp-type 8 code 0 > > In the grammar section, we find > > pf-rule = action [ ( "in" | "out" ) ] > [ "log" [ "(" logopts ")"] ] [ "quick" ] > [ "on" ( ifspec | "rdomain" number ) ] [ af ] > [ protospec ] hosts [ filteropts ] > > filteropt = user | group | flags | icmp-type | icmp6-type | > "tos" tos | > [...] > > which makes it clear that host addresses like "from 192.168.2.1" > must precede "icmp-type". > >> Suggestion: can we have a wiki where we can post user examples >> of configuration snippets of the various system services and discuss >> them? > > If you are already overwhelmed by the existing documentation, how > will adding even more text help? > > -- > Christian "naddy" Weisgerber [email protected]
