From owner-freebsd-questions@FreeBSD.ORG  Mon Oct 31 04:12:58 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5201316A41F
	for <freebsd-questions@freebsd.org>;
	Mon, 31 Oct 2005 04:12:58 +0000 (GMT)
	(envelope-from vitaly.cherny@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9F8AF43D45
	for <freebsd-questions@freebsd.org>;
	Mon, 31 Oct 2005 04:12:57 +0000 (GMT)
	(envelope-from vitaly.cherny@gmail.com)
Received: by zproxy.gmail.com with SMTP id 13so872007nzp
	for <freebsd-questions@freebsd.org>;
	Sun, 30 Oct 2005 20:12:57 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=lxa9vbUTjgTW+iZ8xaAIqWfjyz12uGIMglAfizULv9wFpu+5tA4Grh09Fq1gmSPITq8WrFT+v6WDIigZ0bftLJsj/4YR5QCvd0/hIdF/tcbL9Krw6ZE//d7Zh2VaH1JnMEgdk/fs8agy7oc347QcNrQ+ldcbM8Hs9Xeu7GKiGQs=
Received: by 10.65.20.14 with SMTP id x14mr1225341qbi;
	Sun, 30 Oct 2005 20:12:57 -0800 (PST)
Received: by 10.65.188.6 with HTTP; Sun, 30 Oct 2005 20:12:56 -0800 (PST)
Message-ID: <7bbc4caf0510302012t7a0794cakc77353bd66c2d98a@mail.gmail.com>
Date: Mon, 31 Oct 2005 17:12:57 +1300
From: Vitaly Cherny <vitaly.cherny@gmail.com>
To: "andy@neu.net" <andy@neu.net>
In-Reply-To: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
Cc: freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org
Subject: Re: laptop firewall rules
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Oct 2005 04:12:58 -0000

On 10/31/05, andy@neu.net <andy@neu.net> wrote:
> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation?  I want to use
> IPFilter on 6.0 rc1.  I want to let all connections out and keep state,
> but block all incoming from the outside.

To do this with ipfilter rather than ipfw, try these rules for your
wireless interface (ath0 here):

pass out on ath0 proto tcp from any to any keep state
pass out on ath0 proto udp from any to any port =3D domain keep state
pass out on ath0 proto icmp from any to any keep state
block out on ath0 all

This will allow you to resolve hostnames and establish TCP sessions.
Since UDP and ICMP are stateless, the "keep state" directive just
means that a "response" packet (one that matches certain criteria -
e.g. source/destination ports) will be accepted as matching a "state".

If you are planning to use IPSec, add similar rules for "proto esp"
and "proto ah" so your IPSec tunnel can be established. Check out all
the examples in /usr/share/example/ipfilter (if you have docs
installed) or search for IPFilter HOW-TO.

Vitaly