Tiv wrote:
I'm no expert, but unless you intend to block ICMP messages,
you just might want to use something like this...
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
If you can't ping/arp a host (icmp disabled), I'd think you'd have
trouble connecting ssh...
When i block/filter icmp on a Cisco router I get this:
ssh: connect to host targa port 22: No route to host
...just something to consider.
No, I never had to explicitly allow ICMP on any of my firewalls, because
stateful filtering takes care of internet connection messaging protocol
as well. I only had to explicitly allow echo requests and echo replies.
Otherwise I would have allowed ICMP.
