Date: Mon, 31 Oct 2005 16:44:03 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: andy@neu.net Cc: freebsd-questions@freebsd.org, freebsd-mobile@freebsd.org Subject: Re: laptop firewall rules Message-ID: <20051031144403.GA2122@flame.pc> In-Reply-To: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net> References: <Pine.LNX.4.56.0510301731420.20733@Mira.dandy.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-10-30 17:41, andy@neu.net wrote:
> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation? I want to use
> IPFilter on 6.0 rc1.
I'd strongly recommend pf(4) over IP Filter. The PF firewall
seems to have all the features IP Filter has and it's also better
maintained, AFAIK.
> I want to let all connections out and keep state, but block all
> incoming from the outside.
Good idea. I'm using a fairly restrictive set of firewall
rules, even in networks where my laptop has to use DHCP:
% # Firewall rules for the pf(4) firewall.
% # Giorgos Keramidas <keramida@freebsd.org>
% #
% # Based on:
% # $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $
% # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
%
% set block-policy return
% set require-order yes
% set skip on lo0
%
% scrub in all
%
% ### Packet filtering:
%
% block in log all
% block out log all
%
% # Allow all ICMP packets.
% # They are mostly useful and rate-limited by the kernel anyway.
% pass in proto icmp all
% pass out proto icmp all
%
% # Allow all outgoing connections.
% pass out proto { tcp, udp } all keep state (no-sync)
%
% # Allow some incoming connections.
% pass in proto tcp from any to any port = 22 keep state (no-sync)
Note that, skipping the PF options near the beginning and the
"(no-sync)" options that are PF-specific, you can almost
certainly use the same ruleset for IP Filter.
- Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051031144403.GA2122>