1pass in proto tcp all flags S keep state(icmp-head icmpredir) 2block out proto icmp all icmp-type redir group icmpredir 3