Code review comment for lp:~xtoddx/nova/provider-fw-rules

> I was thinking that if I block an IRC host or some-such I don't want
> communication to happen just because the initiating connection comes from an
> instance. The blocks should pretty much be unconditional, regardless of who
> initiates the connection.

Then you shoulnd't be filtering the incoming response. You should be filtering the outgoing connection on its way out.

We want acceptable connections to have to go through has little processing as possible. This means the first two rules should be "block invalid stuff" followed by "allow existing connections through". Adding anything else before the "allow existing connections" rule means every single packet belonging to an existing connections has to waste time being filtered against things that it'll never match.