Following the helpful advice from this list, I have a m0n0 on a net4801 
set up as a transparent bridge.  Admin is through the LAN port and OPT1 
is bridged to WAN (which uses a disposable IP address just to make the 
config happy).  I also have bridge filtering enabled.

I've put in a few rules but don't see how to (or whether I need to) add 
rules that only allow "related" incoming packets.  From status.php I 
see a set of rules

  @15 skip 1 in proto tcp from any to any flags S/FSRA
  @16 block in quick proto tcp from any to any

Can I assume that these rules are blocking incoming (from the WAN) 
packets which are not related to prior out-going packets?

Hold on.  I just thought of a way to test ... The answer seems to be 
no.  Things initiated from the outside seem to pass in just fine over 
the bridge.

The basic set up is (I hope everyone is reading mail with a fixed with 
font)

            DSL/Eth
              |
       ------------------     ----------------
       | NAT/Router     |-----| bridge       |
       ------------------     ----------------
                                |           |
                              adm-port      |
                                           switch

The NAT (another m0n0wall) is doing the job I need, but I would also 
like the bridge to also reject things from the red side of the bridge 
that weren't initiated on the green side.  (The reason for this, is 
that I am just testing the bridge where it is, it will deployed 
elsewhere).

So is there a rule that I can add to my WAN (on the bridge) that will 
block externally initiated packets?  I guess this is asking whether I 
can create rules that are sensitive to flags?


-- 
Jeffrey Goldberg                        http://www.goldmark.org/jeff/