In some email I received from Stefan Hulbrock, sie wrote:
> Hi
> > > One question about IPF: If I have a tcp keep state rule, I
> > understood that
> > > any valid ICMP traffic about the TCP connexion would be allowed without
> > > rule checking.
> > >
> > > Does that means that someone able to snoop the TCP connexion
> > would be able
> > > to forge an ICMP redirect packet, and that there is now way to
> > stop this?
> > [...]
> >
> > Correct.  This is nearly never useful because the "next hop" that is the
> > redirected gateway must be on the local LAN.
> may be a problem if someone places a "bad" router in the LAN that sends
> packets elsewhere...
> 
> Hmmmm... but it shouldn't be to complicated in IPF to check for the ICMP
> types even in established connections.
> In my opinion "good ICMPs" (tm ;-) that should be allowed if a TCP conn is
> established are
> the dst-unreachable's, source-quench and ttl-exceeded (hope I forgot
> none...)
> I can think of no reason where a conn is established to a server and it
> sends a redirect to the source (this should normally only happen in a local
> LAN), or any other ICMP.
> 
> This behaviour could be hard coded.

It is already:

        /*
         * If it's not an error type, then return
         */
        if ((type != ICMP_UNREACH) && (type != ICMP_SOURCEQUENCH) &&
            (type != ICMP_REDIRECT) && (type != ICMP_TIMXCEED) &&
            (type != ICMP_PARAMPROB))
                return NULL;

Darren