Hoi, when your trusted_net, like in the default config, is a net that is not routed then even the allowed ICMP types are dropped. The attached patch fixes that. But opens the possibility of using not routed nets for attacks that e.g. use the IP ID to guess some stuff about the host (e.g. to guess open ports). But since any IP is usually good enough for this i don't think it is a big regression, especially since we don't drop all nets that aren't routed. Also i would welcome a chmod +x etc/rc.firewall. And then a RFC, shall i convert it to a rcng skript? Any other feedback on rc.firewall is also welcome. Index: etc/rc.firewall =================================================================== RCS file: /home/dcvs/src/etc/rc.firewall,v retrieving revision 1.4 diff -u -p -r1.4 rc.firewall --- etc/rc.firewall 28 Feb 2005 01:42:57 -0000 1.4 +++ etc/rc.firewall 21 Apr 2005 18:38:12 -0000 @@ -190,8 +190,8 @@ case ${firewall_type} in allow_trusted_nets ${firewall_trusted_nets} allow_trusted_interfaces ${firewall_trusted_interfaces} allow_connections - deny_not_routed_nets allow_icmp_types ${firewall_allowed_icmp_types} + deny_not_routed_nets open_tcp_ports ${firewall_open_tcp_ports} open_udp_ports ${firewall_open_udp_ports} deny_rest