A Firewall tutorial for
Other Tutorials: Networking tutorial • Port Forwarding
Simplified Firewall Configuration • Advanced Firewall Configuration
BrazilFW webadmin • Webadmin from the Internet. 
This form of firewall is called a stateful firewall, stateful packet inspection firewall, or SPI firewall. All terms for the same thing. Stateful because it "remembers" the state of all packets it handles; and this for all directions. All this stuff happens and is controlled by code called iptables and connection tracking hooked into the Linux kernel.
If you are going to troubleshoot rules, it is imperative to understand this.
This tutorial will concentrate on the default filter table of Brazil Firewall/Coyote Linux and the 3 predefined rule-sets: INPUT, OUTPUT, and FORWARD. Chains is the proper term for rule-set. Each chain can have user defined chains.
The INPUT chain is for inbound traffic, from the WAN or LAN, destined to services like the Webadmin or the SSH server that are running on the Firewall PC itself. Here is where all NEW packets originating from the Internet get blocked.I can hear you say "but isn't all traffic from the Internet directed to my Internet IP address?" Yes and no. More on that later.
The OUTPUT chain is for outbound traffic generated by services running on the Firewall PC itself like DNS, ping, etc.
There is also a NAT table with its chains (rule-sets) PREROUTING, POSTROUTING, and OUTPUT but we will ignore it here. More on this later. They can also have user defined chains and OUTPUT is not
the same one as OUTPUT above. Lastly there is MANGLE which I will ignore. It is used in QOS.
BrazilFW users: With the bridging add-on installed, the flow of traffic is not technically exact as show but the effect is the same.
The main chain we are interested in is FORWARD 
which controls traffic traversing the firewall from one network to another in either direction. FORWARD contains 5 user defined chains
in this order: access-acl, autofw-acl, portfw-acl, user-filter, and port-filter.
In BrazilFW version 2.30 the rule that accepts (return) traffic from an ESTABLISHED or RELATED connection (connection tracking) was inserted before access-acl for performance reasons. In version
2.30.1 it was put after access-acl for better control. It use to be after port-filter just like Coyote Linux is configured.
Traffic entering FORWARD from any direction passes through all chains above in that order until a match is found (deny or allow). If none is found the default is used. By default all traffic from the inside to the Internet is allowed. A bit before the default there is a rule that blocks all traffic originating from the Internet. Testing showed that NEW Internet traffic is actually blocked in INPUT.
Any packet matched in access-acl will stop there and never go through the rest. The same applies to the others in their order. This is demonstrated in the Troubleshooting firewall rules tutorial.You can see that it is pretty easy to get lost. That nice port forward rule you made to allow Internet access to your mail server may be blocked by a badly constructed rule in access-acl. Or worse, a badly constructed rule may allow anyone on the Internet to access a PC on your LAN. Black hats are always on the lookout for this.
Here is a brief description what each does: access-acl contains the rules created in the Advanced Firewall Configuration; autofw-acl contains the Pre-Configured Services rules in Port Forwarding; portfw-acl contains the Port Forwarding you create; user-filter, introduced in V2.24, contains rules from the Internal Users Filtering of the Simplified Firewall Configuration; and port-filter, also introduced in V2.24, contains rules from the External Services Filtering of the Simplified Firewall Configuration.
Remember the question above "but isn't all traffic from the Internet directed to my Internet IP address?" and that NAT table I said we would ignore? Here is how it happens.In short, when it is recognized that a packet is return traffic, the destination address is changed from the Internet IP address to that of the initiating IP address on the LAN. In the same manner, when it is recognized that new traffic needs to be forwarded to an inside server, the destination address is changed from the Internet IP address to that of the server IP address on the LAN.It then enters FORWARD like that and FORWARD is none the wiser. Neat eh?
The one thing to remember when making rules is to be as specific as possible so that you do not create holes by accident. Only allow in what you need to get the job done. Specify the direction of travel and/or the addresses and/or the ports. Be more worried about what you allowed in than what you have blocked.
One user asked what file all these rules are stored in. Well they aren't. They live in memory only and are changed dynamically with iptables commands. BrazilFW/Coyote Linux store, in intermediate files, everything you enter using the different configuration menus. These files are particular to Coyote Linux/Brazil Firewall and are used to create iptables commands. The default rules are in scripts here and there and are loaded at boot time.
DISCLAIMER: The following instructions come with no warranty. Use at your discretion and risks. I am not responsible for its misuse, damages, or losses that can be caused directly or indirectly. It is assumed that you practice safe computing and take backups before making changes.
Stuff is written here for the uninitiated and no prior knowledge on the subject is presumed.
You want more? Read this tutorial by Oskar Andreasson. Superb!
There is also these HOWTOs from www.netfilter.org
netfilter-hacking-HOWTO.txt
netfilter-double-nat-HOWTO.txt
packet-filtering-HOWTO.txt
NAT-HOWTO.txt
For support use the Brazil Firewall forums so everyone can share the information.
copyright for the writing. The ideas and code are free. Robert Bonomo