Hi Aaron,
Removing the no state allows PF to assign a state to an outgoing ICMP echo
request. The state means that PF will allow echo replies from the IP the
request was directed to in with no additional pass rule required.
This stateful configuration is the best way to acheive the result you
desire. The ASA, a sateful firewall, works the same way.
-Tony
On Fri, 29 Jul 2016, Aaron Hofer wrote:
Greetings,
Trying to replicate some functionality with PF that I had with a cisco asa.
I'm trying to explicitly allow echo requests outbound and only echo replies
inbound but it's not working. Here's my current rules for this, but I can't
ping anything beyond the external interface though.
pass out quick on egress inet proto icmp icmp-type echoreq no state
pass in quick on egress inet proto icmp icmp-type echorep no state
block quick on egress inet proto icmp all
If I remove the 'no state' part, I can ping, but I don't need the second
line which I don't really understand why I don't. So I guess my questions
are, why does the above ruleset not work, and why does it work if I remove
'no state' or use default of keep state but comment out the second rule?
Shouldn't the echoreply packets be getting blocked on the way back in?
What am I missing? Do i need to do something with NAT's?
Thanks
