From owner-freebsd-mobile@FreeBSD.ORG  Mon Oct 31 00:23:41 2005
Return-Path: <owner-freebsd-mobile@FreeBSD.ORG>
X-Original-To: freebsd-mobile@freebsd.org
Delivered-To: freebsd-mobile@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B1E6316A41F;
	Mon, 31 Oct 2005 00:23:41 +0000 (GMT)
	(envelope-from ecrist@secure-computing.net)
Received: from grog.secure-computing.net (grog.secure-computing.net
	[216.243.161.73])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1CF5C43D48;
	Mon, 31 Oct 2005 00:23:40 +0000 (GMT)
	(envelope-from ecrist@secure-computing.net)
Received: from [192.168.1.100] (snipe.secure-computing.net [216.243.161.77])
	(authenticated bits=0)
	by grog.secure-computing.net (8.13.1/8.13.1) with ESMTP id
	j9V0NoJA062015
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT);
	Sun, 30 Oct 2005 18:23:51 -0600 (CST)
	(envelope-from ecrist@secure-computing.net)
DomainKey-Signature: a=rsa-sha1; s=grog; d=secure-computing.net; c=nofws; q=dns;
	h=in-reply-to:references:mime-version:content-type:message-id:cc:
	content-transfer-encoding:from:subject:date:to:x-mailer:x-spam-status:x-spam-checker-version;
	b=BpSYY/SDDz7ognBkX8zM7/SCbJsuVT3abcr+JlRX75YeHOYsHwTbIYLwpVPPDjPBX
	7D/TyUGOVInxuDqV6kdlg==
In-Reply-To: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
References: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <F4A7C5AB-A8D1-4E46-A7E0-F1FD95E64ABC@secure-computing.net>
Content-Transfer-Encoding: 7bit
From: Eric F Crist <ecrist@secure-computing.net>
Date: Sun, 30 Oct 2005 18:23:22 -0600
To: andy@neu.net
X-Mailer: Apple Mail (2.734)
X-Spam-Status: No, score=-4.4 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00 
	autolearn=ham version=3.1.0
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on 
	grog.secure-computing.net
Cc: freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org
Subject: Re: laptop firewall rules
X-BeenThere: freebsd-mobile@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Mobile computing with FreeBSD <freebsd-mobile.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-mobile>, 
	<mailto:freebsd-mobile-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-mobile>
List-Post: <mailto:freebsd-mobile@freebsd.org>
List-Help: <mailto:freebsd-mobile-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-mobile>,
	<mailto:freebsd-mobile-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2005 00:23:41 -0000

On Oct 30, 2005, at 4:41 PM, andy@neu.net wrote:

> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation?  I want to use
> IPFilter on 6.0 rc1.  I want to let all connections out and keep  
> state,
> but block all incoming from the outside.
>
> TIA


That ruleset is easy:

ipfw add check-state
ipfw add allow tcp from me to any setup keep-state
ipfw add allow tcp from any to any established
ipfw add deny from any to me in

This should do the trick.

-----
Eric F Crist
Secure Computing Networks
http://www.secure-computing.net