From owner-freebsd-net@FreeBSD.ORG  Thu Mar 18 15:50:02 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3466516A4CE
	for <freebsd-net@freebsd.org>; Thu, 18 Mar 2004 15:50:02 -0800 (PST)
Received: from fep17.inet.fi (fep17.inet.fi [194.251.242.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D56F643D1D
	for <freebsd-net@freebsd.org>; Thu, 18 Mar 2004 15:50:00 -0800 (PST)
	(envelope-from tomi.kaistila@datamike.org)
Received: from zeus ([80.221.213.44]) by fep17.inet.fi with ESMTP
          id <20040318234957.WNT17548.fep17.inet.fi@zeus>
          for <freebsd-net@freebsd.org>; Fri, 19 Mar 2004 01:49:57 +0200
From: "Tomi Kaistila" <tomi.kaistila@datamike.org>
To: <freebsd-net@freebsd.org>
Date: Fri, 19 Mar 2004 01:50:10 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcQNQ79ZvTKN+gY2QTm/kIVhPxk/4Q==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-Id: <20040318234957.WNT17548.fep17.inet.fi@zeus>
Subject: Filtering established connection in ipfw
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2004 23:50:02 -0000

Hello

I've just sometime ago got a second computer, I installed FreebSD 5.2 on it,
full installation and I'm on my way of making a server out of it. Basically
from the beginning, I've been struggling with ipfw, to make up a good
ruleset.

I've enabled IPFIREWALL in the kernel. My philosophy is, if it's not in the
rules deny it. I have a very strict ruleset at the moment, only allowing
connections to certain services and all from designated ports. All other
connections are denied. My problem is that this also hinders my use of
Internet from this machine. Although I have a rule that allows all
connection from the server to outside, many connections spawn a reply. i.e.
if I ping an address, I must also enable icmp from the outside world to my
machine to receive the reply.

My question is, can I make a rule that allows such replies to pass the
packet filter, but to drop if it is not such a reply or similar signal? I
tried using the setup and established flags but either I did something wrong
or it just didn't work out that way.

--
Tomi