So here are my firewall rules built with the help of Firewall Builder. We'll start by looking at the NAT rules. Rule 0 allows all networks to NAT out to the Internet. Rule 1 is disabled but allows access to the DMZ. The DMZ is off during the summer to keep the DMZ server from running up the electric bill. Rule 2 is a lazy rule that enables me to print to my networked laser printer while I work from home logged into the work VPN. I say this is lazy due to having used a much better design in the past. In the past, I had Apache with SSL reverse proxying to CUPS. I used an HTTPS URL with Windows XP to print remotely. This protected data in transit across the internet. The current setup will be disabled anyway for printing seems to have been killed off by the dual monitor setup. The printing rule is restricted to the VPN Internet exit IP address.
We'll now look at the firewall rules. Rule 0 adds all internal networks to the Anti-Spoofing Rule.
Rule 1 enables loopback network communication on the router.
Rule 2 is sloppy but lets DHCP work on the internal network. You can see this done better in Firewall Builder's templates.
Rule 3 gives the guest network access to essential services on the gateway. FTP is provided so guests can take advantage of the USB Drive attached to the Linksys e3000.
Rule 4 ensure all trusted networks can access everything needed on the home gateway.
Rule 5 lets ping and traceroute work.
Rule 6 lets the router communicate to everything on the network.
Rules 8 through 10 enable the VPN to be accessed from the outside and HTTP for rule 9 which is disabled at this time.
Rule 11 allows printing while on a work VPN. The work VPN disables all local access when the VPN is activated leaves me unable to reach my network printers.
Rule 12 stops all traffic not otherwise allowed to the firewall box.
Rule 13 enables the guest network access to the outside world only. Note the guest network can not access the other networks.
Rules 14,15, and 16 allow the trusted networks to communicate everywhere.
Rule 17 will drop everything else not previously allowed in my home firewall.
Here are the raw iptables rules script as created by Firewall Builder for DD-WRT.