That means ping.

For all kinds of reasons, but especially for getting my IPv6 tunnel, I want to allow my new router to respond to ping (are you there?) requests from the Internet on its WAN port. It should also pass ping requests to the routed subnet so the nodes there can decide whether they want to respond.

There's a nifty tool at https://check-host.net/check-ping (and they offer other checks) that will simultaneously ping from a few dozen servers around the world. Kind of neat to see the access and response timing, and also check to see if any geo-based filtering is working.

I'm testing it with my router, on both its WAN and LAN ports, and my other servers that should respond, and am not having the success I want. I can ping my router's peer, its gateway to the Internet, and it shows good times from everywhere the test shows. When I test things on my LAN, nothing responds. When I test the router WAN port, only places I either would want to filter or don't need to respond respond. Of the dozens of sources, six respond: Bulgaria, Paris, Tehran, Kazakhstan, Portugal, and Serbia.

None of the American servers respond. Really I only need those, as I block all the HTTP and much of the mail from everywhere else. Since I'm using a CDN, I really only need to allow those (and a few others) servers access to the HTTP; the only access from unexpected sources are either bots or abuse scanners. Mail is a little more open, but does filter many IP ranges for entire countries known for UBE, and also based on reported bad servers via the likes of spamhaus.org. Honestly 90% of the legit e-mail comes from giant services, like Google, Microsoft, and Yahoo! servers.

But the firewall rules allowing ping on the pfsense only seem to allow countries I don't need to get ping out of.

Still working on it.