So, now it's happy with remote logins on eth0 (first network card) and ip-less firewall bridge on eth1 and eth2.
Whee... here's the fun model
Internet -> School -> ip-less firewall (block unwanted connections here) -> nat translator (can block here, too) -> hub -> all the rest of the computers in the apartment. So, the only way to override policy on bridge is to be on the inside of the NAT. You can't get to the NAT to get on the inside if you are being blocked. Therefore we have a nice layer of insecurity.