+## Allow responses from the scary outside world into the untrusted net, but
+## don't let untrusted things run services.
+case $forward in
+ 1)
+ run ip46tables -A FORWARD -j ACCEPT \
+ -m mark --mark $(( $from_scary | $to_untrusted ))/$(( $MASK_FROM | $MASK_TO )) \
+ -m state --state ESTABLISHED,RELATED
+ ;;
+esac
+