Thanks for the recommendations, Craigs books are a huge help. I have a 3
system test environment set up with BorderManager so we (us Administrators)
can get to know BorderManager and spend some QT with it.

I have the default filters set up (deny packets in filter list):
Filter 1: Destination: public interface
Filter 2: Source: public interface

Now I set up some basic filter exceptions so we can see how this thing
works (only using these two exceptions for now):

1. Destination: Public interface, Packet Type: ping-st
2. Source: Public interface, Packet Type: ping-st

Now, in my mind, these two exceptions should allow us to ping both ways
through the BorderManager server, but only we only get outgoing. The way
I'm reading these exceptions is:
1. Anything destined for the public interface (protocol icmp, stateful),
allow it.
2. Anything coming from the public interface (protocol icmp, stateful),
allow it.

Why is it only allowing traffic one way?