From owner-freebsd-questions@FreeBSD.ORG  Mon Oct 31 11:52:34 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F353616A41F;
	Mon, 31 Oct 2005 11:52:33 +0000 (GMT)
	(envelope-from ecrist@secure-computing.net)
Received: from grog.secure-computing.net (grog.secure-computing.net
	[216.243.161.73])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 76C5943D78;
	Mon, 31 Oct 2005 11:52:22 +0000 (GMT)
	(envelope-from ecrist@secure-computing.net)
Received: from [192.168.1.102] (snipe.secure-computing.net [216.243.161.77])
	(authenticated bits=0)
	by grog.secure-computing.net (8.13.1/8.13.1) with ESMTP id
	j9VBqYqt064625
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT);
	Mon, 31 Oct 2005 05:52:35 -0600 (CST)
	(envelope-from ecrist@secure-computing.net)
DomainKey-Signature: a=rsa-sha1; s=grog; d=secure-computing.net; c=nofws; q=dns;
	h=in-reply-to:references:mime-version:content-type:message-id:cc:
	content-transfer-encoding:from:subject:date:to:x-mailer:x-spam-status:x-spam-checker-version;
	b=VRcL2g+oAGhYS+LBqfxQHXhfj7s9X27K9GUmJFGA4HYzaWKDhL4fWWq58E0grN7so
	pmgzZpba6I6cc0VT1SmQw==
In-Reply-To: <F4A7C5AB-A8D1-4E46-A7E0-F1FD95E64ABC@secure-computing.net>
References: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
	<F4A7C5AB-A8D1-4E46-A7E0-F1FD95E64ABC@secure-computing.net>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <A30BD21E-3977-4522-95A7-9F735240970D@secure-computing.net>
Content-Transfer-Encoding: 7bit
From: Eric F Crist <ecrist@secure-computing.net>
Date: Mon, 31 Oct 2005 05:52:05 -0600
To: Eric F Crist <ecrist@secure-computing.net>
X-Mailer: Apple Mail (2.734)
X-Spam-Status: No, score=-4.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 
	autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on 
	grog.secure-computing.net
Cc: andy@neu.net, freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org
Subject: Re: laptop firewall rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2005 11:52:34 -0000

On Oct 30, 2005, at 6:23 PM, Eric F Crist wrote:

> On Oct 30, 2005, at 4:41 PM, andy@neu.net wrote:
>
>
>> Does anyone have a good example of a firewall ruleset for a wireless
>> interface in a laptop, or a pointer to documentation?  I want to use
>> IPFilter on 6.0 rc1.  I want to let all connections out and keep  
>> state,
>> but block all incoming from the outside.
>>
>> TIA
>>
>
>
> That ruleset is easy:
>
> ipfw add check-state
> ipfw add allow tcp from me to any setup keep-state
> ipfw add allow tcp from any to any established
> ipfw add deny from any to me in
>
> This should do the trick.

I forgot a couple of rules here.  I'm assuming you want DNS to  
function, so here's another rule to add, immediately above the last,  
deny, line:

ipfw add allow udp from me to any
ipfw add allow udp from any 53 to me 53

Also, that last line above should read:

ipfw add deny all from any to me in

-----
Eric F Crist
Secure Computing Networks
http://www.secure-computing.net