From: "azeem ahmad" <azeem484@xxxxxxxxxxx> > but its not the soulution to just leave the programs that have dynamic > ports. there must be a solution for them in netfilter If you are very worried and have a large network, set up a SOCKS proxy. I believe the Windows MSN client also supports HTTP proxying but I've never tried. On a smaller scale, it is fairly safe to allow the whole range of outgoing ports to be ACCEPTed in your OUTPUT chain, such as allowing out 2000-3000. You would have to find out the exact range it uses. A rule allowing ESTABLISHED or RELATED in your INPUT chain will handle the replies. Unless you're going to use UPnP to open and close ports as needed it isn't easy to get programs like MSN that use lots of ports to work fully behind a firewall or NAT. There is a UPnP daemon for Linux and a good article at: http://www.ruwebit.net/article/77. David
