Just a minor quibble, the example ruleset at http://openbsd.org/faq/pf/example1.html#allrules shows ICMP type 8 and 11 being explicitly allowed. Since 11 is also an "error type" ICMP I would think that it gets matched against the state table as well and does not need to be explicitly allowed. Or is this rule supposed to guard against the state entry expiring before the time-exceeded makes it back?
No, that appears to be an error. Thanks for pointing that out.
.joel
