>Rolf Kühn wrote:
>> i would like to setup the following ruleset, but it seems to be
>> impossible to create the second part with the gui:
>> 1. allow incoming icmp via wan
>> 2. drop outgoing icmp via wan
>> (source of idea: building internet firewalls, o`reilly)
>> is there any possibility to create?
>Inbound ICMP should be blocked automatically. And Outbound is simple.
>If you do not need to ping your router, WAN of m0n0, etc. rule that
>would read something like:
>Interface: LAN (or OPTn)
>Description: Block LAN ICMP -> any
>This rule needs to be before the "Pass LAN to Any" rule. You would
>need a rule like that for each of your non-WAN interfaces (OPTn).
>If you need to ping a router or such, you would need to write the rule
>to be destination *not* network, then use the public subnet. You can
>accomplish the same by defining your public subnet in the Aliases
>(like PublicNet), then use the alias to write the rule.
I think that is similar to what he asked, although not necessarily the
same (his intent was not stated).
Your rule seems to block LAN ICMP -> Internet but not Firewall ICMP ->
Internet. This is one of the simplifications of m0n0wall which is not
intuitive to those of us who have written our own rules directly in the