On Mon, Dec 09, 2002 at 05:58:15PM -0500, Michael Lucas wrote: > I need to be able to return specific ICMP responses to particular > connection attempts, instead of just "unreachable". (say, "prohibited > by filter" or some such.
The type is always "unreachable" (ICMP_UNREACH), but you can choose the code inside that type: net-unr ICMP_UNREACH_NET host-unr ICMP_UNREACH_HOST proto-unr ICMP_UNREACH_PROTOCOL port-unr ICMP_UNREACH_PORT (that's the default) net-prohib ICMP_UNREACH_NET_PROHIB host-prohib ICMP_UNREACH_HOST_PROHIB etc. (complete list is in src/sbin/pfctl/pfctl_parser.c icmp_code[]) and for icmp6 admin-unr ICMP6_DST_UNREACH_ADMIN addr-unr ICMP6_DST_UNREACH_ADDR port-unr ICMP6_DST_UNREACH_NOPORT (default) etc. (same place, icmp6_code[]) For the numeric list, see /usr/include/netinet/ip_icmp.h > But, try as I might, I cannot specify any ICMP message numbers on the > line. Judging from Google, nobody else is trying to specify message 3 > code 9 or such. How do these need to be formatted? block return-icmp(net-prohib) in on $ext_if inet all or block return-icmp(9) ... Daniel
