Bug 144986

Summary: [pf] pf.conf example should show allowing icmp through firewall
Product: Documentation Reporter: Rebecca Cran <bcran>
Component: Books & ArticlesAssignee: Bruce Cran <brucec>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
src.pf.pf.conf.txt none

Description Rebecca Cran freebsd_committer freebsd_triage 2010-03-23 21:40:03 UTC 
The pf example in /usr/share/example/pf/pf.conf shows allowing ssh through the firewall, but it doesn't have any icmp examples, so users may not realise that icmp should normally be allowed.

Fix: 

Add the line:

#pass in on $ext_if proto icmp to ($ext_if)
Comment 1 Glen Barber 2010-04-01 00:45:08 UTC 
The attached patch adds the ICMP rule to pf.conf.

Regards,

-- 
Glen Barber
Comment 2 Glen Barber freebsd_committer freebsd_triage 2010-10-09 18:08:16 UTC 
Responsible Changed
From-To: freebsd-doc->gjb

I'll take this.
Comment 3 dfilter service freebsd_committer freebsd_triage 2011-02-12 20:42:58 UTC 
Author: brucec
Date: Sat Feb 12 20:42:53 2011
New Revision: 218620
URL: http://svn.freebsd.org/changeset/base/218620

Log:
  If the pf.conf(5) example file is copied when setting up a firewall it's
  easy to forget about icmp. Update the file to show allowing icmp through
  the firewall.
  
  PR:	docs/144986
  MFC after:	1 month

Modified:
  head/share/examples/pf/pf.conf

Modified: head/share/examples/pf/pf.conf
==============================================================================
--- head/share/examples/pf/pf.conf	Sat Feb 12 20:28:15 2011	(r218619)
+++ head/share/examples/pf/pf.conf	Sat Feb 12 20:42:53 2011	(r218620)
@@ -32,3 +32,4 @@
 #pass in on $ext_if proto tcp to ($ext_if) port ssh
 #pass in log on $ext_if proto tcp to ($ext_if) port smtp
 #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
+#pass in on $ext_if proto icmp to ($ext_if)
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 4 Bruce Cran freebsd_committer freebsd_triage 2011-02-12 20:43:34 UTC 
State Changed
From-To: open->patched

Patch committed to HEAD.
Comment 5 Bruce Cran freebsd_committer freebsd_triage 2011-02-12 20:43:34 UTC 
Responsible Changed
From-To: gjb->brucec

Grab.
Comment 6 dfilter service freebsd_committer freebsd_triage 2011-02-16 21:46:07 UTC 
Author: brucec
Date: Wed Feb 16 21:46:03 2011
New Revision: 218759
URL: http://svn.freebsd.org/changeset/base/218759

Log:
  MFC r218620:
  
  If the pf.conf(5) example file is copied when setting up a firewall it's
  easy to forget about icmp. Update the file to show allowing icmp through
  the firewall.
  
  PR:	docs/144986

Modified:
  stable/7/share/examples/pf/pf.conf
Directory Properties:
  stable/7/share/examples/   (props changed)

Modified: stable/7/share/examples/pf/pf.conf
==============================================================================
--- stable/7/share/examples/pf/pf.conf	Wed Feb 16 21:41:44 2011	(r218758)
+++ stable/7/share/examples/pf/pf.conf	Wed Feb 16 21:46:03 2011	(r218759)
@@ -32,3 +32,4 @@
 #pass in on $ext_if proto tcp to ($ext_if) port ssh
 #pass in log on $ext_if proto tcp to ($ext_if) port smtp
 #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
+#pass in on $ext_if proto icmp to ($ext_if)
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 7 Bruce Cran freebsd_committer freebsd_triage 2011-02-16 21:46:39 UTC 
State Changed
From-To: patched->closed

Merged to stable/7 and stable/8.