[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: return-icmp and a particular code
On Mon, Dec 09, 2002 at 05:58:15PM -0500, Michael Lucas wrote:
> I need to be able to return specific ICMP responses to particular
> connection attempts, instead of just "unreachable". (say, "prohibited
> by filter" or some such.
The type is always "unreachable" (ICMP_UNREACH), but you can choose the
code inside that type:
port-unr ICMP_UNREACH_PORT (that's the default)
(complete list is in src/sbin/pfctl/pfctl_parser.c icmp_code)
and for icmp6
port-unr ICMP6_DST_UNREACH_NOPORT (default)
(same place, icmp6_code)
For the numeric list, see /usr/include/netinet/ip_icmp.h
> But, try as I might, I cannot specify any ICMP message numbers on the
> line. Judging from Google, nobody else is trying to specify message 3
> code 9 or such. How do these need to be formatted?
block return-icmp(net-prohib) in on $ext_if inet all
block return-icmp(9) ...