Простенький файрвол ferm

emerge net-misc/ferm
sudo mcedit /etc/ferm/ferm.conf

# workstation & fileserver
# Author: wavilen

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local connections
        interface lo ACCEPT;

        # respond to ping
        proto icmp icmp-type echo-request ACCEPT;

        # allow SSH connections
        proto tcp dport ssh ACCEPT;

        # ident connections are also allowed
        proto tcp dport auth ACCEPT;

        # samba
        proto tcp dport (139 445) ACCEPT; #smbd
        proto udp dport (137:138) ACCEPT; #nmbd

        # NFSv4
        proto tcp dport sunrpc ACCEPT;
        proto (tcp udp) dport 2049 ACCEPT;

        #torrent
        proto tcp dport (8000) ACCEPT;
        proto udp dport (8000) ACCEPT;

        #iptv
        proto (udp igmp) daddr 224.0.0.0/4 mod state state NEW ACCEPT;
        proto udp dport 1234 ACCEPT;

        # the rest is dropped by the above policy
    }

    # outgoing connections are not limited
    chain OUTPUT policy ACCEPT;

    # this is not a router
    chain FORWARD policy DROP;
}

sudo ferm -i /etc/ferm/ferm.conf
sudo /etc/init.d/iptables save
sudo /etc/init.d/iptables start
sudo rc-update add iptables default