On Thu, 6 Jan 2000, Alicia da Conceicao wrote:

> Rene Hexel wrote:
> >   Basically, what you do is block everything and then let through the
> > services you want (the followin example uses groups to make things more
> > readable):
> > block in log on fxp1 all head 100
> > block in log proto tcp all flags S/SA head 101 group 100
> > block in log proto udp all head 102 group 100
> > pass in quick proto tcp from any to any port = 22 keep state group 101
> > pass in quick proto udp from any to any port = 22 keep state group 102
> > pass in quick proto udp from any to any port = 53 keep state group 102
> 
> Hi Rene:
> 
> Thank you for your quick response.  Although the above rulesets do the
> trick, and restrict access from the outside.  These rules unfortunately
> do not allow the internal lan or the firewall server itself to access
> the outside Internet.  When logged into the firewall, I cannot ping the
> outside, or make tcp socket connections either.
> 
> Any ideas on what changes need to make to the above rules so that they
> can allow the firewall to access the outside Internet, while restricting
> the outside from coming in?
> 
> Thanks in advance.  Sincerely, Alicia.

assuming fxp1 is the external internet interface:

# keep state on tcp/udp and icmp connections so we can allow
# incoming packets which are in response to ones we sent out
pass out quick on fxp1 proto tcp/udp from any to any keep state
pass out quick on fxp1 proto icmp    from any to any keep state

# allow PING
pass in quick on fxp1 proto icmp from any to any icmp-type 8

# allow TRACEROUTE
pass in quick on fxp1 proto icmp from any to any icmp-type 11

-Dan