On Tue, 25 Jan 2005 13:15:30 -0500, Peter Fraser <[EMAIL PROTECTED]> wrote: > I tried the following. There is a "block all" earlier. > > # be more generous with pings > > block in inet proto icmp all icmp-type $icmp_types > tag icmp > pass in quick from <PingUsers> to any keep > state tagged icmp > pass in quick on $External_if from any to <ICMP_ok> keep > state tagged icmp > pass in quick on $Inside_ifs from any to any keep > state tagged icmp > pass out quick all keep > state tagged icmp > > I used the block on proto icmp to classify the icmp packets, then > selected the > three groups of users that were allowed to use them, using tags to keep > track of the > packets. > > The trouble is it didn't work. The packets were blocked on their way > out. To make it > work I had give up on the tagging and use: > > pass out quick inet proto icmp from any to any icmp-type $icmp_types > keep state >
Seems like it would make more sense as: block in inet proto icmp pass in quick from <PingUsers> to any keep state tag ICMP pass in quick on $External_if from any to <ICMP_ok> keep state tag ICMP pass in quick on $Inside_ifs from any to any keep state tag ICMP pass out quick all keep state tagged ICMP I changed the case on your tag, it's not needed, but I "prefer" it that way and it's easier to tell you mean the tag, not the protocol :) At any rate that's how I've used tags successfully in the past. --Bill
