> And while I'm at it, is there anywhere I can see which types of ICMP are
> *not* let back in even if they match a state (I assume that type 5
> redirect at least is always filtered unless there is an explicit rule)?
if you have:
block in log on $public all
block out log on $public all
as your first rules, you'll see which packets are being blocked.
> pass in on $public all keep state
> pass out on $public all keep state
Don't allow everything by default. Block everything and explicitly allow
what you want.
>
> pass in quick on $public inet proto icmp \
> from any to <mynet> \
> icmp-type 8 keep state
> pass in quick on $public inet proto icmp \
> from $router to <mynet> \
> icmp-type 9 keep state
> block in quick log on $public inet proto icmp \
> from any to <mynet>
> pass out quick on $public inet proto icmp \
> from <mynet> to any \
> icmp-type 8 keep state
> block out quick log on $public inet proto icmp \
> from <mynet> to any
>
>
I think what you want is this:
pass in quick on $public inet proto icmp from any to ($public) icmp-type
{8,9} keep state
pass out quick on $public inet proto icmp from ($public) to any icmp-type
{8,9} keep state
pass in quick on $internal inet proto icmp from <mynet> to any icmp-type
{8,9} keep state
pass out quick on $internal inet proto icmp from any to <mynet> icmp-type
{8,9} keep state
Try that.
-Dave
