From owner-freebsd-questions@FreeBSD.ORG Mon Oct 31 14:44:11 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68D5F16A41F; Mon, 31 Oct 2005 14:44:11 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id B592243D45; Mon, 31 Oct 2005 14:44:10 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with SMTP id j9VEi8G7004819; Mon, 31 Oct 2005 16:44:08 +0200 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id j9VEi34l002164; Mon, 31 Oct 2005 16:44:03 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id j9VEi3J8002163; Mon, 31 Oct 2005 16:44:03 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 31 Oct 2005 16:44:03 +0200 From: Giorgos Keramidas To: andy@neu.net Message-ID: <20051031144403.GA2122@flame.pc> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Cc: freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org Subject: Re: laptop firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2005 14:44:11 -0000 On 2005-10-30 17:41, andy@neu.net wrote: > Does anyone have a good example of a firewall ruleset for a wireless > interface in a laptop, or a pointer to documentation? I want to use > IPFilter on 6.0 rc1. I'd strongly recommend pf(4) over IP Filter. The PF firewall seems to have all the features IP Filter has and it's also better maintained, AFAIK. > I want to let all connections out and keep state, but block all > incoming from the outside. Good idea. I'm using a fairly restrictive set of firewall rules, even in networks where my laptop has to use DHCP: % # Firewall rules for the pf(4) firewall. % # Giorgos Keramidas % # % # Based on: % # $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $ % # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ % % set block-policy return % set require-order yes % set skip on lo0 % % scrub in all % % ### Packet filtering: % % block in log all % block out log all % % # Allow all ICMP packets. % # They are mostly useful and rate-limited by the kernel anyway. % pass in proto icmp all % pass out proto icmp all % % # Allow all outgoing connections. % pass out proto { tcp, udp } all keep state (no-sync) % % # Allow some incoming connections. % pass in proto tcp from any to any port = 22 keep state (no-sync) Note that, skipping the PF options near the beginning and the "(no-sync)" options that are PF-specific, you can almost certainly use the same ruleset for IP Filter. - Giorgos