On 07/30/16 06:08, Aaron Hofer wrote: > Trying to replicate some functionality with PF that I had with a cisco > asa. I'm trying to explicitly allow echo requests outbound and only > echo replies inbound but it's not working. Here's my current rules for > this, but I can't ping anything beyond the external interface though. > > pass out quick on egress inet proto icmp icmp-type echoreq no state > pass in quick on egress inet proto icmp icmp-type echorep no state > block quick on egress inet proto icmp all
Last match wins, so if you move the block up before the pass rules, you should see a difference. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
