I tried the following. There is a "block all" earlier. # be more generous with pings
block in inet proto icmp all icmp-type $icmp_types tag icmp pass in quick from <PingUsers> to any keep state tagged icmp pass in quick on $External_if from any to <ICMP_ok> keep state tagged icmp pass in quick on $Inside_ifs from any to any keep state tagged icmp pass out quick all keep state tagged icmp I used the block on proto icmp to classify the icmp packets, then selected the three groups of users that were allowed to use them, using tags to keep track of the packets. The trouble is it didn't work. The packets were blocked on their way out. To make it work I had give up on the tagging and use: pass out quick inet proto icmp from any to any icmp-type $icmp_types keep state
