From owner-freebsd-doc@FreeBSD.ORG Wed Sep 6 12:46:02 2006 Return-Path: X-Original-To: freebsd-doc@freebsd.org Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2DA516A4DA for ; Wed, 6 Sep 2006 12:46:02 +0000 (UTC) (envelope-from jcarchambeau@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 253B843D53 for ; Wed, 6 Sep 2006 12:46:02 +0000 (GMT) (envelope-from jcarchambeau@gmail.com) Received: by wx-out-0506.google.com with SMTP id i27so2636901wxd for ; Wed, 06 Sep 2006 05:46:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=CNylftyHOTWiZtMYc9976r5kSGmxMyCxmI+Uyf0eCizsuDZSzEvXENLxU6T9TNrDL/VVCgIFERvMC18A4GRq2nUCiWa6HZ04LTUIS8Fag5Re0lVFcDTqmKlTbzQumW2KKqwGWE50fHJOfKleJR+qwENC6MZHtFbTzrTAnjIEf+w= Received: by 10.70.111.2 with SMTP id j2mr12004207wxc; Wed, 06 Sep 2006 05:46:01 -0700 (PDT) Received: by 10.70.128.16 with HTTP; Wed, 6 Sep 2006 05:46:01 -0700 (PDT) Message-ID: Date: Wed, 6 Sep 2006 05:46:01 -0700 From: "John Archambeau" To: "Matthew Seaman" In-Reply-To: <44FE6068.5000801@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200609051159.k85BxO6H049544@freefall.freebsd.org> <44FE6068.5000801@infracaninophile.co.uk> Cc: Remko Lodder , freebsd-doc@freebsd.org Subject: Re: docs/101114: icmptype names not in icmp(4) manpage X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 12:46:03 -0000 I must be one of the few people who rtfm's first. The Free/OpenBSD pf.conf manpage implies that number codes won't work but the icmptype abbreviations will. Also consider the output you get from pfctl -s[ar] which is in the OpenBSD icmptype abbreviation, not the number code. Another ambiguity of filtering icmp traffic with the pf.conf manpage that should be addressed especially for those of us that migrate from ipfw to pf. On 9/5/06, Matthew Seaman wrote: > John Archambeau wrote: > > > To create a pf.conf file (see man pf.conf) properly for filtering of > > icmp, you must specify the icmptype(s) by abbreviation per the OpenBSD > > icmp(4) manpage you wish to filter. It's not like ipfw where you can > > specify the icmptype by number, it must be the type by the > > abbreviation as specified as by the OpenBSD manpage for icmptypes. > > Are you sure about that? > > happy-idiot-talk:/etc:% uname -a > FreeBSD happy-idiot-talk.infracaninophile.co.uk 6.1-STABLE FreeBSD 6.1-STABLE #6: Mon Aug 28 14:01:08 BST 2006 root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386 > happy-idiot-talk:/etc:% cat pf.conf > > icmp_types="{ 0 3 8 11 }" > > scrub in > pass all > > pass inet proto icmp all icmp-type $icmp_types keep state > > happy-idiot-talk:/etc:% sudo pfctl -f pf.conf > happy-idiot-talk:/etc:% sudo pfctl -sr > scrub in all fragment reassemble > pass all > pass inet proto icmp all icmp-type echorep keep state > pass inet proto icmp all icmp-type unreach keep state > pass inet proto icmp all icmp-type echoreq keep state > pass inet proto icmp all icmp-type timex keep state > > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW > > > >