in-state patch for FreeBSD/ipfw

example ruleset

$A_gateway = 127.22.66.1
$A_network = 127.22.66.0/24
$Webserver_A = 127.22.66.12
$Nameserver_A = 127.22.66.13

$B_gateway = 192.168.1.1
$B_network = 192.168.1.0/26
$Webserver_B = 192.168.1.2
...you get the idea.

# Source based routing
#---------------------------------------------------------------
fwd $A_gateway all from $A_network to not $A_network in-state
fwd $B_gateway all from $B_network to not $B_network in-state

# Established connections
check-state
deny log logamount 0 tcp from any to any established

# ISP A 
#----------------------------------------------------

# webserver
############################
# incoming http traffic
allow tcp from any to $Webserver_A http setup keep-state

# outgoing smtp
fwd $A_gateway tcp from $Webserver_A to any smtp setup keep-state

# nameserver
############################
# the domain-stuff
allow tcp from any to $Nameserver_A domain setup keep-state
allow udp from any to $Nameserver_A domain keep-state
# ...and outgoing
fwd $A_gateway tcp from $Nameserver_A to any domain setup keep-state
fwd $A_gateway udp from $Nameserver_A to any domain keep-state

# I want to log in here
allow tcp from any to $Nameserver_A ssh setup keep-state


# ISP B
#----------------------------------------------------

# webserver
############################
# incoming http traffic
allow tcp from any to $Webserver_B http setup keep-state

# outgoing smtp
fwd $B_gateway tcp from $Webserver_B to any smtp setup keep-state


# Other thingies
# xl1 is the internal, xl0 the external interface
#----------------------------------------------------

# lo0
allow ip from any to any via lo0

# ssh to this host
allow tcp from any to me ssh setup keep-state

# ICMP
allow icmp from any to any icmptypes 0,3,4,8,11
allow icmp from any to any in recv xl1

# allow me to do some things
allow tcp from me to any smtp,domain setup keep-state
allow tcp from me to any ssh setup keep-state
allow udp from me to any domain,syslog keep-state

#default deny
deny log all from any to any

This ruleset is not complete, but it should be a good guideline on how to use source-based IP routing with keep-state rules.

Note the outgoing traffic (from the servers into the internet): a simple "allow tcp" would not do the trick, because this would send all packets to the FreeBSD's default gateway, no matter where they come from. You already have to do the source based routing here.