... So... this seems to work for the vast majority of browsers, however some other browsers seem to want the a request through some sort of new connection and then... of course they get nothing.
Here is what a typical reject would look like:
CODE
Jan 5 07:52:50 foo kernel: ** OUT_TCP DROP **
IN=
OUT=eth0
SRC=xxx.xxx.xxx.xxx
DST=xxx.xxx.xxx.xxx
LEN=1420
TOS=0x00
PREC=0x00
TTL=64
ID=11955
DF
PROTO=TCP
SPT=80
DPT=40980
WINDOW=6432
RES=0x00
ACK
URGP=0
How can I configure APF so that I enable this type of response to go through, but yet do not allow a connection really starting from my machine to go out.
IN=
OUT=eth0
SRC=xxx.xxx.xxx.xxx
DST=xxx.xxx.xxx.xxx
LEN=1420
TOS=0x00
PREC=0x00
TTL=64
ID=11955
DF
PROTO=TCP
SPT=80
DPT=40980
WINDOW=6432
RES=0x00
ACK
URGP=0
How to allow a range of DPT=xxxxx to go out as long as SPT=80? (i.e. only responses to http requests)
However, if there is a fair chance of someone getting wget (or some other app) to spoof the "SPT=80" part... well then I will keep things as they are and life sucks for those whose browser's suck
