From owner-freebsd-questions@FreeBSD.ORG  Sat Dec 13 23:23:36 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F21EE16A4CE
	for <freebsd-questions@FreeBSD.org>;
	Sat, 13 Dec 2003 23:23:36 -0800 (PST)
Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DD88743D09
	for <freebsd-questions@FreeBSD.org>;
	Sat, 13 Dec 2003 23:23:35 -0800 (PST)
	(envelope-from jaime@snowmoon.com)
Received: from snowmoon.com (alb-24-195-202-60.nycap.rr.com [24.195.202.60])
	by malkav.snowmoon.com (Postfix) with ESMTP
	id E38BD112A6; Sun, 14 Dec 2003 02:23:34 -0500 (EST)
Date: Sun, 14 Dec 2003 02:23:29 -0500
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v553)
To: Ian Moore <imoore@picknowl.com.au>
From: Jaime <jaime@snowmoon.com>
In-Reply-To: <200312141719.26819.imoore@picknowl.com.au>
Message-Id: <6A78C498-2E06-11D8-AD0A-000393193538@snowmoon.com>
Content-Transfer-Encoding: 7bit
X-Mailer: Apple Mail (2.553)
cc: freebsd-questions@FreeBSD.org
Subject: Re: IPFW via command problem
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2003 07:23:37 -0000

On Sunday, December 14, 2003, at 01:49  AM, Ian Moore wrote:
> # Allow outgoing pings
> ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
> ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}
>
> where I have defined ${oif} as
> oif="xl1"
> where xl1 is my external interface
>
> The above lines don't allow pings to the outside world, but if I 
> comment out
> via ${oif} then it does allow them.

	I'd have to know more about your firewall to be certain, but it looks 
kind of like you've over-looked the IFPW rules that would be needed by 
your internal interface.  If the external interface allows pings but 
the internal doesn't, then it won't let pings pass through the box.  
They will be stopped at the internal interface on their way from your 
internal workstation to the firewall.

								Hope that helps,
								Jaime