Date: Mon, 31 Oct 2005 17:12:57 +1300 From: Vitaly Cherny <vitaly.cherny@gmail.com> To: "andy@neu.net" <andy@neu.net> Cc: freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org Subject: Re: laptop firewall rules Message-ID: <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com> In-Reply-To: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net> References: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/31/05, andy@neu.net <andy@neu.net> wrote: > Does anyone have a good example of a firewall ruleset for a wireless > interface in a laptop, or a pointer to documentation? I want to use > IPFilter on 6.0 rc1. I want to let all connections out and keep state, > but block all incoming from the outside. To do this with ipfilter rather than ipfw, try these rules for your wireless interface (ath0 here): pass out on ath0 proto tcp from any to any keep state pass out on ath0 proto udp from any to any port =3D domain keep state pass out on ath0 proto icmp from any to any keep state block out on ath0 all This will allow you to resolve hostnames and establish TCP sessions. Since UDP and ICMP are stateless, the "keep state" directive just means that a "response" packet (one that matches certain criteria - e.g. source/destination ports) will be accepted as matching a "state". If you are planning to use IPSec, add similar rules for "proto esp" and "proto ah" so your IPSec tunnel can be established. Check out all the examples in /usr/share/example/ipfilter (if you have docs installed) or search for IPFilter HOW-TO. Vitaly
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7bbc4caf0510302012t7a0794cakc77353bd66c2d98a>