Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 31 Oct 2005 00:03:37 -0500
From:      Parv <parv@pair.com>
To:        Vitaly Cherny <vitaly.cherny@gmail.com>
Cc:        "andy@neu.net" <andy@neu.net>, freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org
Subject:   Re: laptop firewall rules
Message-ID:  <20051031050337.GA21870@holestein.holy.cow>
In-Reply-To: <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>
References:  <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net> <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
in message <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>,
wrote Vitaly Cherny thusly...
>
> On 10/31/05, andy@neu.net <andy@neu.net> wrote:
> > Does anyone have a good example of a firewall ruleset for a wireless
> > interface in a laptop, or a pointer to documentation?  I want to use
> > IPFilter on 6.0 rc1.  I want to let all connections out and keep state,
> > but block all incoming from the outside.
> 
> To do this with ipfilter rather than ipfw, try these rules for your
> wireless interface (ath0 here):
> 
> pass out on ath0 proto tcp from any to any keep state
> pass out on ath0 proto udp from any to any port = domain keep state
> pass out on ath0 proto icmp from any to any keep state
> block out on ath0 all

Since ipf will use the last matched rule, will above not block all
outside access (unless you forgot to specify the "quick")?  See the
"FILTER RULES" section in ipf(5).

Above should be something like (substitute "<external-interface>" w/
actual one) ...

  pass in  quick on lo0  head 10
  pass out quick on lo0  head 15

  block in  on <external-interface> all
  block out on <external-interface> all
  pass out quick on <external-interface> proto tcp/udp from any to any keep state
  pass out quick on <external-interface> proto icmp from any to any keep state


... which can|should be further augmented; see ipf(5), ipftest(1),
and the ipfilter website.


  - Parv

--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051031050337.GA21870>