> _Одним_ правилом это сделать невозможно.Но если напрячься, взять examples/client-all.conf....
# egrep -v "^ *(#|$)" </usr/share/doc/firehol/examples/client-all.conf
version 5
interface any world
client all accept
# firehol ./client-all.conf debug | ./explain-sorter
-N out_world_ftp_c3
-A out_world_ftp_c3 -p tcp --sport 32768:61000 --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
-A out_world_ftp_c3 -p tcp --sport 32768:61000 --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
-A out_world_ftp_c3 -p tcp --sport 32768:61000 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
-N in_world_ftp_c3
-A in_world_ftp_c3 -p tcp --sport ftp --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
-A in_world_ftp_c3 -p tcp --sport ftp-data --dport 32768:61000 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A in_world_ftp_c3 -p tcp --sport 1024:65535 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
-N out_world_irc_c2
-A out_world_irc_c2 -p tcp --sport 32768:61000 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
-N in_world_irc_c2
-A in_world_irc_c2 -p tcp --sport 6667 --dport 32768:61000 -m state --state ESTABLISHED -j ACCEPT
-N out_world_all_c1
-A out_world_all_c1 -m state --state NEW,ESTABLISHED -j ACCEPT
-N in_world_all_c1
-A in_world_all_c1 -m state --state ESTABLISHED -j ACCEPT
-N out_world
-A out_world -j out_world_all_c1
-A out_world -j out_world_irc_c2
-A out_world -j out_world_ftp_c3
-A out_world -m state --state RELATED -j ACCEPT
-A out_world -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=''OUT-world':'
-A out_world -j DROP
-N in_world
-A in_world -j in_world_all_c1
-A in_world -j in_world_irc_c2
-A in_world -j in_world_ftp_c3
-A in_world -m state --state RELATED -j ACCEPT
-A in_world -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=''IN-world':'
-A in_world -j DROP
-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix='PASS-unknown:'
-A FORWARD -j DROP
-A OUTPUT -j out_world
-A OUTPUT -m state --state RELATED -j ACCEPT
-A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix='OUT-unknown:'
-A OUTPUT -j DROP
-A INPUT -j in_world
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix='IN-unknown:'
-A INPUT -j DROP
# exit
...немного его редуци... простите!, сократить, забыть об irc-ftp.... то, ...
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Ничего, что правил - _два_, извините?