> On Tue, 25 Jan 2005 13:15:30 -0500, Peter Fraser <[EMAIL PROTECTED]>
wrote:
> > I tried the following. There is a "block all" earlier.
> >
> > # be more generous with pings
> >
> > block in inet proto icmp all icmp-type $icmp_types
> > tag icmp
> > pass in quick from <PingUsers> to any
keep
> > state tagged icmp
> > pass in quick on $External_if from any to <ICMP_ok>
keep
> > state tagged icmp
> > pass in quick on $Inside_ifs from any to any
keep
> > state tagged icmp
> > pass out quick all
keep
> > state tagged icmp
> >
> > I used the block on proto icmp to classify the icmp packets, then
> > selected the
> > three groups of users that were allowed to use them, using tags to
keep
> > track of the
> > packets.
> >
> > The trouble is it didn't work. The packets were blocked on their way
> > out. To make it
> > work I had give up on the tagging and use:
> >
> > pass out quick inet proto icmp from any to any icmp-type
$icmp_types
> > keep state
> >
>
> Seems like it would make more sense as:
> block in inet proto icmp
> pass in quick from <PingUsers> to any keep state tag ICMP
> pass in quick on $External_if from any to <ICMP_ok> keep state tag
ICMP
> pass in quick on $Inside_ifs from any to any keep state tag ICMP
> pass out quick all keep state tagged ICMP
>
> I changed the case on your tag, it's not needed, but I "prefer" it
> that way and it's easier to tell you mean the tag, not the protocol :)
> At any rate that's how I've used tags successfully in the past.
>
> --Bill
>
The reason I attached the tag to the block was so I didn't have to
repeat the
"inet proto icmp" and "icmp-type $icmp_types"
for each following line. That still doesn't explain why my way doesn't
work.
