Denial of Service attacks are as rampant as buffer overflow exploits. Many denial of
service attacks rely on glitches in the OS's TCP/IP stack. Frequently, this has come in
the form of ICMP packets. Why not block them entirely?
block in log quick on tun0 proto icmp from any to any
Now any ICMP traffic coming in from tun0 will be logged and discarded.