thank you very much for your detailed answer and explanation. Researching a little more I found that it was indeed a combination of ICMPs with bad sequence numbers and ICMP errors without a preexisting connection/state entry (I assume they are responding to a source-spoofed port scan or something like that).
> Ping is the only kind people commonly allow,
and the example ruleset shows how to deal with them (query creates state, reply matches state).
Just a minor quibble, the example ruleset at http://openbsd.org/faq/pf/example1.html#allrules shows ICMP type 8 and 11 being explicitly allowed. Since 11 is also an "error type" ICMP I would think that it gets matched against the state table as well and does not need to be explicitly allowed. Or is this rule supposed to guard against the state entry expiring before the time-exceeded makes it back?
Cheers,
Marc
