ICMP Codes
-
Hi,
Is there a way to set ICMP codes in firewall rules? Like, filtering just Dest. Unreachable (Fragmentation Needed) for example?
-
If you set a rule's protocol to ICMP you get a drop-down to select the ICMP type that the rule will match.
-
Hi,
Is there a way to set ICMP codes in firewall rules? Like, filtering just Dest. Unreachable (Fragmentation Needed) for example?
Types != Codes :)
-
In that case, no, not in our GUI. pf can do it we just don't have a way to enter them in the GUI.
(Most people confuse the codes/types โ safer to assume people meant types)
-
So you want specific to be really specific, say type 3 (dest unreach) code 2 protocol unreach while code 3 would mean port unreachable, 4 frag needed but dont frag set sort of codes.
-
That sounds nice in theory but IIRC in reality if those packets are actually part of a connection pf would allow them, they wouldn't be considered "new" for evaluation by firewall rules, they'd be part of the connection state. (could be misremembering that, worth double checking, but I lack the time to do so at the moment)
-
So you want specific to be really specific, say type 3 (dest unreach) code 2 protocol unreach while code 3 would mean port unreachable, 4 frag needed but dont frag set sort of codes.
yep. I envision a nice drop down style selector for the code as well, including "any". I reckon the GUI would be sorta complex because code meanings vary with types. But it would allow for finer control over ICMP traffic and complete icmp filtering functionality. Of course it can't be added if the underlying packet filter doesn't support filtering by type&code.
-
patches accepted :-)
-