Hi



Will this do?
<snip 80-odd lines>
-----------------------------------

# assumes that ippp0 is frontend

# POLICY
block in log all

# lo0: LOOPBACK POLICY completely open
pass in quick on lo0 all
pass out quick on lo0 all

# state rules - last one is ping
pass out on ippp0 proto tcp/udp from any to any keep state
pass out on ippp0 proto icmp from any to any
pass out on ippp0 proto icmp from any to any icmp-type 8 keep state

# servers

# ssh
pass in on ippp0 proto tcp from any to any port = ssh flags S keep 
state keep frags




Probably :)  It's a lot simpler and more elegant than my own weak 
effort.  Bit worried about allowing SSH in but I suppose that it has 
to happen.

So, this will allow ftp, web pages, ssh and e-mail ?  Could it be 
improved in any way ?  Such as blocking any connection to X-windows.  
I would suppose that the default policy at the top would be the answer 
to that.  Something like allowing a service such as SSH but filtering 
it so that any strange requests are blocked.  I think you would 
probably use PAM for that kind of thing anyway.

How about sending over the rest of it off the list and I'll have a 
quiet think about it for a day or two :)

Thanks
 




Richard