Is it possible to apply filtering rules to replies to translated
packets? It appears that replies to translated packets are allowed
through, without question. I have an OpenBSD router, from which I
forward a range of ephemeral ports to various LAN computers, and would
like to prevent RST segments from being sent out to the internet, in
reply to forwarded connections. This way, applications which create
listening sockets using ephemeral ports (such as DCC in my IRC client)
will still work, but no one will be able to port scan me and have any
indication as to which port ranges are being forwarded. It of course
would be possible to try to filter RST segments at each computer on the
internal network, but I'd prefer to do this at the router. Any ideas?
