Re: [m0n0wall] keep state question.

From:	Alan Horn <ahorn at deorth dot org>
To:	Falcor <falcor at netassassin dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] keep state question.
Date:	Fri, 2 Jan 2004 11:51:53 -0800 (PST)

On Fri, 2 Jan 2004, Falcor wrote:

>I am assuming by "out" you mean from the LAN to the WAN.  Where ever
>"in" is, the rule is the same just change the source network.  E.g. LAN,
>WAN, PPTP, OPT1, etc.
>

This is probably the crux of a misunderstanding..

By out I mean out on a specific interface.

with ipfilter you can filter inbound and outbound on an interface. Inbound
is when a packet arrives at that interface, outbound is when a packet
leaves that interface. As I understand it anyway.

I do _not_ mean 'out of my network', or 'in to my network'.

See : http://www.obfuscation.org/ipfilter/ipf-howto.html#TOC_12

>IPF and OpenBSD's PF allow you to muck with ICMP services, but I do not
>believe 99.99% of us want to dork with it at all.

I prefer to block everything in ICMP but a couple of essential types
usually.