> # tcpdump -n -i sis2 'icmp' > 19:21:05.848459 wan_if.ip > external.host: icmp: echo request > 19:21:05.868202 external.host > wan_if.ip: icmp: echo reply > 19:21:05.868499 wan_if.ip > external.host: icmp: host wan_if.ip unreachable > > I was obviously expecting the first two lines but I assumed that PF > would just drop the echo reply and not issue an ICMP host unreachable.
The block policy only applies to the "block" rule. In this case the icmp unreachable is matching state since it is corresponding icmp traffic as noted in the PF FAQ http://www.openbsd.org/faq/pf/filter.html#state
