Rolf Kühn wrote:
> i would like to setup the following ruleset, but it seems to be
> impossible to create the second part with the gui:
> 1. allow incoming icmp via wan
> 2. drop outgoing icmp via wan
> (source of idea: building internet firewalls, o`reilly)
> is there any possibility to create?
Inbound ICMP should be blocked automatically. And Outbound is simple.
If you do not need to ping your router, WAN of m0n0, etc. rule that
would read something like:
Interface: LAN (or OPTn)
Description: Block LAN ICMP -> any
This rule needs to be before the "Pass LAN to Any" rule. You would
need a rule like that for each of your non-WAN interfaces (OPTn).
If you need to ping a router or such, you would need to write the rule
to be destination *not* network, then use the public subnet. You can
accomplish the same by defining your public subnet in the Aliases
(like PublicNet), then use the alias to write the rule.
James W. McKeand