Subject: Re: ipf.conf rulesets for outside firewall.
To: mcmahill@mtl.mit.edu, Rene Hexel <rh@idle.trapdoor.vip.at>
From: Alicia da Conceicao <alicia@cyberstation.ca>
List: port-i386
Date: 01/06/2000 14:36:12
mcmahill@mtl.mit.edu wrote:
> # keep state on tcp/udp and icmp connections so we can allow
> # incoming packets which are in response to ones we sent out
> pass out quick on fxp1 proto tcp/udp from any to any keep state
> pass out quick on fxp1 proto icmp    from any to any keep state

rh@idle.trapdoor.vip.at wrote:
> This is because you use stateless rules for outgoing connections. 
> Thus, any reply packets will be dropped by the 'incoming' rules.  If you
> use 'keep state' for your outgoing rules as well, this problem should go
> away ...

Thanks again, I added the above keep state pass out rules, and it did the
trick!  The firewall now keeps out unwanted connections from the outside,
while allowing internal connects to the outside.  Exactly what I wanted.

Thanks again.  :-)  Sincerely, Alicia.