1*22ab6602Schristospass out proto tcp all flags S keep state(icmp-head icmpredir) 2*22ab6602Schristosblock in proto icmp all icmp-type redir group icmpredir 3