Learn something new every day. I have never heard of the object-group prior to today.
Hopefully you are not hosting any resource to be accessed from the outside. The random client port will be blocked by the access list. I would not have a solution for this.
It would have been useful to quote context. Most of the regular posters here do not use googlegroups as their newsreaders, so they cannot immediately see the previous messages.
In particular, your reply left out enough context to make it difficult for people to recognize that it is the Cisco PIX that is being discussed.
The Cisco PIX is a stateful firewall, not just a filter. When a new connection comes in from outside and an appropriate translation rule exists and the access lists permit the accesses, then the PIX will create the connection and automatically create a rule permitting the return traffic.
With the PIX, you could have a host that was open from the outside on all ports (permit ip any host WHATEVER) and which was not allowed to initiate new flows to the outside (deny ip host WHATEVER any), and that arrangement would not have any problems with return traffic, because the PIX knows add and remove the appropriate dynamic rules.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.