# pf - Allow ICMP only from certain network(s)?



## jnojr (Mar 5, 2014)

I'm working on getting PF working under Mac OSX "Mountain Lion", but this (and many other topics that don't involve clicking around the GUI) seems to be beyond the "Apple community".


```
pass in inet proto icmp all icmp-type echoreq from <network>
```
 gives a syntax error. 
	
	



```
pass in inet proto icmp all icmp-type echoreq
```
 works. How do I only allow ICMP from certain trusted networks? I can with ipfw or iptables, I should be able to with pf*.*


----------



## usdmatt (Mar 5, 2014)

Have you tried something like the following? Never really used pf but I think you need to change the 'all' part of the rule rather than adding onto the end.


```
pass in inet proto icmp from network icmp-type echoreq
```


----------



## _martin (Mar 5, 2014)

usdmatt said:
			
		

> ```
> pass in inet proto icmp from network icmp-type echoreq
> ```


Given that "network" is actually used as $network and $network is a macro defined as, e.g.:

```
network="{10.0.0.0/24}"
```
it should work as expected.


----------



## SirDice (Mar 6, 2014)

The keyword all is just short hand for from any to any.


----------



## jnojr (Mar 6, 2014)

Thanks all!


----------

