This is helpful, but because it's so surprising that "pass proto icmp" doesn't pass all icmp traffic, I think it would help to mention it where "proto icmp" is described too.
Also, the top of the text about "sloppy" just talks about the sloppy TCP connection tracker, I think perhaps it would be better to lead with something that suggests it has multiple functions for different protocols? Index: man5/pf.conf.5 =================================================================== RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.594 diff -u -p -r1.594 pf.conf.5 --- man5/pf.conf.5 9 May 2022 20:29:23 -0000 1.594 +++ man5/pf.conf.5 9 May 2022 21:05:48 -0000 @@ -594,6 +594,13 @@ or .Pc must match. .Pp +ICMP responses are not permitted unless they either match an +existing request, or unless +.Cm no state +or +.Cm keep state (sloppy) +is specified. +.Pp .It Cm label Ar string Adds a label to the rule, which can be used to identify the rule. For instance, @@ -2177,7 +2184,7 @@ States created by this rule are exported .Xr pflow 4 interface. .It Cm sloppy -Uses a sloppy TCP connection tracker that does not check sequence +For TCP, uses a sloppy connection tracker that does not check sequence numbers at all, which makes insertion and ICMP teardown attacks way easier. This is intended to be used in situations where one does not see all @@ -2186,7 +2193,8 @@ It cannot be used with .Cm modulate state or .Cm synproxy state . -With this option ICMP replies can create states. +For ICMP, this option allows states to be created from replies, +not just requests. .It Ar timeout seconds Changes the .Ar timeout
