DragonFly BSD
DragonFly users List (threaded) for 2006-09
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Bridging again

From: Gergo Szakal <bastyaelvtars@xxxxxxxxx>
Date: Tue, 26 Sep 2006 12:04:39 +0200

Tiv wrote:

I'm no expert, but unless you intend to block ICMP messages,
you just might want to use something like this...

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

If you can't ping/arp a host (icmp disabled), I'd think you'd have trouble connecting ssh...

When i block/filter icmp on a Cisco router I get this:

ssh: connect to host targa port 22: No route to host

...just something to consider.

No, I never had to explicitly allow ICMP on any of my firewalls, because stateful filtering takes care of internet connection messaging protocol as well. I only had to explicitly allow echo requests and echo replies. Otherwise I would have allowed ICMP.

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]