From owner-freebsd-questions@FreeBSD.ORG  Wed Dec  7 05:01:55 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 45D95106564A
	for <freebsd-questions@freebsd.org>;
	Wed,  7 Dec 2011 05:01:55 +0000 (UTC)
	(envelope-from tundra@tundraware.com)
Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73])
	by mx1.freebsd.org (Postfix) with ESMTP id 092968FC13
	for <freebsd-questions@freebsd.org>;
	Wed,  7 Dec 2011 05:01:54 +0000 (UTC)
Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2])
	(authenticated bits=0)
	by ozzie.tundraware.com (8.14.5/8.14.5) with ESMTP id pB751kto022592
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO)
	for <freebsd-questions@freebsd.org>;
	Tue, 6 Dec 2011 23:01:46 -0600 (CST)
	(envelope-from tundra@tundraware.com)
Message-ID: <4EDEF33A.1020801@tundraware.com>
Date: Tue, 06 Dec 2011 23:01:46 -0600
From: Tim Daneliuk <tundra@tundraware.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15
MIME-Version: 1.0
To: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
	(ozzie.tundraware.com [192.168.0.1]);
	Tue, 06 Dec 2011 23:01:46 -0600 (CST)
X-TundraWare-MailScanner-Information: Please contact the ISP for more
	information
X-TundraWare-MailScanner-ID: pB751kto022592
X-TundraWare-MailScanner: Found to be clean
X-TundraWare-MailScanner-From: tundra@tundraware.com
X-Spam-Status: No
Subject: SOLVED: ipfw And ping
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Dec 2011 05:01:55 -0000

I have a fairly restrictive firewall but I wanted to open a hole for ping and
traceroute - both outbound from a NATed LAN as well as inbound to the boundary
FreeBSD machine.  The magic sauce turned out to be:


   ipfw add allow icmp from any to any icmptypes 0,3,4,8,11,12

The other insight here was that this rule had to occur *after* NAT got
setup or internal users on the LAN would not be able to ping.

Many thanks especially go to Robert Bonomi and Ian Smith for their
help and patience with my foolish questions...

Tim