Sun Jun 24 15:13:51 EDT 2012

Firewall cleanup

I have many network interfaces, but really only 3 classes:
- Untrusted (internet): things like SSH, VPN, SIP, ...
- Semi-trusted: local wireless
- Trusted: LAN + VPN

Outgoing/forward I want to make sure trusted can access everything,
semi-trusted can not acess the trusted network, and untrusted can not
access semi-trusted and trusted.

For these I use bridging to make them share 3 IP segments.  It seems
that bridging counts as routing for FORWARD, but as a normal interface
for IN/OUT.

It's probably good to put these 3 behaviours in chains.

So.. is a user-defined chain a call/return or a jump?  I think it's a
jump, because user-defined chains cannot have policies (default jump
target).  Yep, that's the case[1].

Hmm... I don't really have a good intuitive grasp of the basics of
iptables..  Asterisk takes a lot of CPU but I wonder if this isn't
just because it's swapping the code in and out..

Can't filter on aliases, i.e. br0:0 since they are not real interfaces.

[1] http://en.wikipedia.org/wiki/Iptables