The rule setup (figure E) says 'acl,' is this firewall a series of access control lists?

One thing I'd like to know is what is the default policy on incoming packets, and how are they managed? I'd hope the thing denies everything until specifically allowed.

I also don't see an obvious way to insure that all incoming packets allowed are in context. ('established' state with iptables) Fig E looks like you basically allow everything hitting the firewall to pass through to the destination regardless of whether they've been requested or not.

I'll have to play around with this one, it does look interesting, a kernel hook rather than iptables...