Emiel Kollof wrote:
I would definately allow ICMP, because ICMP is just necessary. If you don't want ping to work, just disallow icmp echo and reply.
Again: that config works on OpenBSD 3.8, just we cannot ping, but other ICMP works. This is from the PF users' guide:
'Another advantage of keeping state is that corresponding ICMP traffic will be passed through the firewall. For example, if keep state is specified for a TCP connection and an ICMP source-quench message referring to this TCP connection arrives, it will be matched to the appropriate state entry and passed through the firewall.'
http://www.openbsd.org/faq/pf/filter.html
