Not ready for human consumption, I'll remove this notice and resume work on this article when I get back from pizza - [LAW]

The devil has a name, and it is ucc-fw. This article aspires to be a reference manual for the UCC firewall. It does not aspire to be a reference manual for iptables, and readers are expected to familiarize themselves with the basics of iptables syntax before attempting to change the central firewall.

Not just a firewall

ucc-fw is located on madako in /etc/init.d/ and at time of writing weighs in at nearly 700 lines of arcane iptables commands and cryptic comments, and is responsible for keeping the baddies out. It is also responsible for keeping costs down by making sure the right data goes out the right link, NAT for the Silk link, and a lot of other things the reasons for which will become apparent as you become familiar with the way information flows in and out of the club.

As suggested by its location, ucc-fw is initialized at boot and can changes can be applied by simply running the script again.

Letting things through

The most common firewall maintenance task you'll come across is also the easiest. ==

Common Tasks

Most changes to ucc-fw are relatively mundane: unblocking a port, forwarding a port, and unfirewalling a particular host (eg: for a colocated user machine).

Unfirewalling a host

This quick guide assumes the host you wish to unfirewall is on VLAN 3, as most colocated user machines will be. If it is on a different VLAN you should read the rest of this document before trying to adapt these instructions to your specific case. The two sections

Caveats

One trick is that it isn't just iptables that is doing the magic - the "ip" command is used for some of the source routing. ip rule list will show you some of that (fwmark etc).