From owner-freebsd-questions@FreeBSD.ORG  Mon Oct 31 05:04:43 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1A33516A41F;
	Mon, 31 Oct 2005 05:04:43 +0000 (GMT) (envelope-from parv@pair.com)
Received: from mta7.adelphia.net (mta7.adelphia.net [68.168.78.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8300943D45;
	Mon, 31 Oct 2005 05:04:42 +0000 (GMT) (envelope-from parv@pair.com)
Received: from default.chvlva.adelphia.net ([69.160.76.67])
	by mta11.adelphia.net
	(InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id
	<20051031050324.ILYE19306.mta11.adelphia.net@default.chvlva.adelphia.net>;
	Mon, 31 Oct 2005 00:03:24 -0500
Received: by default.chvlva.adelphia.net (Postfix, from userid 1000)
	id 42B6BB5A2; Mon, 31 Oct 2005 00:03:37 -0500 (EST)
Date: Mon, 31 Oct 2005 00:03:37 -0500
From: Parv <parv@pair.com>
To: Vitaly Cherny <vitaly.cherny@gmail.com>
Message-ID: <20051031050337.GA21870@holestein.holy.cow>
Mail-Followup-To: Vitaly Cherny <vitaly.cherny@gmail.com>,
	"andy@neu.net" <andy@neu.net>, freebsd-questions@freebsd.org,
	freebsd-mobile@freebsd.org
References: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
	<7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>
Cc: "andy@neu.net" <andy@neu.net>, freebsd-questions@freebsd.org,
	freebsd-mobile@freebsd.org
Subject: Re: laptop firewall rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2005 05:04:43 -0000

in message <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>,
wrote Vitaly Cherny thusly...
>
> On 10/31/05, andy@neu.net <andy@neu.net> wrote:
> > Does anyone have a good example of a firewall ruleset for a wireless
> > interface in a laptop, or a pointer to documentation?  I want to use
> > IPFilter on 6.0 rc1.  I want to let all connections out and keep state,
> > but block all incoming from the outside.
> 
> To do this with ipfilter rather than ipfw, try these rules for your
> wireless interface (ath0 here):
> 
> pass out on ath0 proto tcp from any to any keep state
> pass out on ath0 proto udp from any to any port = domain keep state
> pass out on ath0 proto icmp from any to any keep state
> block out on ath0 all

Since ipf will use the last matched rule, will above not block all
outside access (unless you forgot to specify the "quick")?  See the
"FILTER RULES" section in ipf(5).

Above should be something like (substitute "<external-interface>" w/
actual one) ...

  pass in  quick on lo0  head 10
  pass out quick on lo0  head 15

  block in  on <external-interface> all
  block out on <external-interface> all
  pass out quick on <external-interface> proto tcp/udp from any to any keep state
  pass out quick on <external-interface> proto icmp from any to any keep state


... which can|should be further augmented; see ipf(5), ipftest(1),
and the ipfilter website.


  - Parv

--