See inline for a few answers.
A few firewall questions
a) in 'mangle' I see also the accept/drop/reject actions. I though mangle is intended for marking traffic, not for making decisions on how to handle it? Or is the 'mangle' table just a normal firewall table that is just consulted first before the 'filter'?
Mangle is for mangling packets. It has an accept action but not drop or reject.
b) What is the 'hotspot' match in both mangle/filter? The wiki only says:
hotspot (auth | from-client | http | local-dst | to-client; Default: )
without explanation. Could 'auth' mean: authenticated firewall traffic? What about the other options?
I believe you are correct on this one. If you create a hotspot you will see a number of auto generated rules which use these different states to create jump actions. Most of the time you will not need to match these states on your own.
a) does connection-state=!established,related mean: !(established,related) (ie neither) or !established, but related?
I hope the former as there is no way to say !established,!related either, but the doco is sketchy
In my experience it means connection-state=!(established,related).
b) does connection-state=invalid equal: not new, not established and not related, or is that a separate state?
Its a unique state or at least one that still allows new
through. I have my invalid
drop rule at the very top right below the established
allow rule. My new traffic still makes its way through the appropriate rules.
What is 'connection-nat-state' ? The wiki doesn't say either.
This along with the connection state checkboxes are new as of ROS 6.22. The release notes offer the following insight:
*) improved connection-state matcher in firewall - can match multiple states in one rule, supports negation;
*) added connection-nat-state matcher - can match connections that are srcnatted,dstnatted or both;
Think of it as a way to create a allow all rule for dst-nat
traffic with out needing to generate both the NAT
table rule and the filter