Hi. I have what I think is a fairly typical client-only firewall setup - my netfilter box allows all protocols out from the internal network, masquerading the address on the way, and blocks all packets coming back from the Internet except those matching state ESTABLISHED,RELATED.
It works fine and does what I want. However, quite a number of servers (mail, ftp for example) send an IDENT request back when I contact them, which the firewall simply drops, because it's addressed to the external IP of the firewall (because that was the source address on the masqueraded outgoing request). Is there any way to allow such IDENT packets, which arrive immediately after an outgoing connection, to be classified as RELATED, and to be NATed on to the internal client (as, for example, some ICMP packets do, I believe) ? I guess the more general question is: can I control what sort of packets get classified as RELATED ? Antony.
