Filtering established connection in ipfw

[Tomi Kaistila]

Hello

I've just sometime ago got a second computer, I installed FreebSD 5.2 on it,
full installation and I'm on my way of making a server out of it. Basically
from the beginning, I've been struggling with ipfw, to make up a good
ruleset.

I've enabled IPFIREWALL in the kernel. My philosophy is, if it's not in the
rules deny it. I have a very strict ruleset at the moment, only allowing
connections to certain services and all from designated ports. All other
connections are denied. My problem is that this also hinders my use of
Internet from this machine. Although I have a rule that allows all
connection from the server to outside, many connections spawn a reply. i.e.
if I ping an address, I must also enable icmp from the outside world to my
machine to receive the reply.

My question is, can I make a rule that allows such replies to pass the
packet filter, but to drop if it is not such a reply or similar signal? I
tried using the setup and established flags but either I did something wrong
or it just didn't work out that way.

--
Tomi