On Wed, 19 Feb 2003, Juan Vera wrote:
> # pfctl -n -f -
> pass out quick on xl0 proto { tcp, udp, icmp } from any to any flags S keep state
> pass out quick on xl0 proto { tcp, udp, icmp } from xl0 to any flags S keep state
> stdin:3: icmp version does not match address family
> stdin:3: skipping filter rule due to errors
> pfctl: Syntax error in file: pf rules not loaded
The error message is indeed incorrect.
I don't understand how you think icmp packets could have a SYN flag set
though, so there's human error in your ruleset too. The "temporary fix"
you suggested is not temporary: that's the way it's supposed to be.
//Wouter
> temporary fix:
>
> # pfctl -n -f -
> pass out quick on xl0 proto { tcp, udp } from xl0 to any flags S keep state
> pass out quick on xl0 proto icmp from any to any keep state
