cgjones is correct. The beauty of iptables over its predecessor ipchains is the notion of statefull packet inspection (SPI). Even though your Firefox is changing its source ports dynamically, SPI will make your firewall track each outgoing connection allow in the return packets without having to specify the exact port to allow. It is done with the following rules:
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
The first rule sets the default INPUT policy to DROP and the second rule is the SPI rule I mentioned earlier. With just these two rules, your computer will not allow in any *unsolicited* inbound traffic. It will however allow in any traffic that you (or a computer behind your firewall) initiated.
|