So, I use Firestarter to manage the firewall at home. It has it’s issues, of course (not all events show up in the little event viewer, for example), and I’m a little wary of using a graphical tool to manage iptables. That said, I’ve so little time at home, I don’t really care to spend it wrestling with the firewall on my Linux box.
This is also why people buy those toys from Linksys, they require little to no effort to use. Of course, their wireless offerings should ship secure by default, with a little plastic window on the bottom of the thing containing a card with the SSID and WEP keys on it—and a stack of pre-labeled cards to write future SSID and WEP keys on.
Aaaaanyways, having setup OpenVPN at work (ethernet bridge over TCP) I needed to punch through the firewall on my box so it was worth a damn. Unfortunately adding the VPN network to the “Hosts allows to connect” list doesn’t work, since it still blocks the output. To fix this, you need to disable the firewall on your tap (or tun, if you’re using OpenVPN in a routed configuration) interface by adding the VPN network to your “allowed hosts” bit, and then adding the following lines to /etc/firestarter/user-pre:
$IPT -A INPUT -i tap+ -j ACCEPT $IPT -A OUTPUT -o tap+ -j ACCEPT
What that means is: “let anything coming in (INPUT/-i) or going out (OUTPUT/-o) on any tap interface through.” Getting the connection to use the incoming/outgoing policies is the ideal case, but I didn’t really research into how to make it work beyond a little experimentation.