honeywall roo: rc.firewall questions

[James Oliver <686f6e6579 () gmail com>]

Hi,

While going through the rc.firewall script of the new honeywall roo
the following questions came up:


A)

Assumptions:
    *) ROACHMOTEL is not enabled
    *) HwRESTRICT is enabled

That means that connections from the honeypots are possible to ports
defined in HwALLOWED_TCP_OUT and HwALLOWED_UDP_OUT. Looking at
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section5 I
thought that means that iptables rules have to operate on the FORWARD
rule. However, the following iptables commands (after the "if [
"${HwROACHMOTEL_ENABLE}" = "no" ]; then") operate on the OUTPUT rules:

[...]
       for port in ${HwALLOWED_TCP_OUT}; do
           iptables -A OUTPUT -p tcp --dport $port -m state \
                   --state NEW,ESTABLISHED,RELATED -j ACCEPT 
       done
[...]


Where am I wrong, or is this a bug in the roo rc.firewall script?


B)

Is there a supported way to allow the Honeywall the updating via yum,
e.g. allow new outgoing TCP connections for yum, together with
outgoing UDP packets for the nameserver queries or do I have to
execute iptables scripts myself, when I want to do the update?

Bye and thanks for your answers,
James