laptop firewall rules
Vitaly Cherny
vitaly.cherny at gmail.com
Tue Nov 1 15:01:11 PST 2005
On 10/31/05, andy at neu.net <andy at neu.net> wrote:
> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation? I want to use
> IPFilter on 6.0 rc1. I want to let all connections out and keep state,
> but block all incoming from the outside.
To do this with ipfilter rather than ipfw, try these rules for your
wireless interface (ath0 here):
pass out on ath0 proto tcp from any to any keep state
pass out on ath0 proto udp from any to any port = domain keep state
pass out on ath0 proto icmp from any to any keep state
block out on ath0 all
This will allow you to resolve hostnames and establish TCP sessions.
Since UDP and ICMP are stateless, the "keep state" directive just
means that a "response" packet (one that matches certain criteria -
e.g. source/destination ports) will be accepted as matching a "state".
If you are planning to use IPSec, add similar rules for "proto esp"
and "proto ah" so your IPSec tunnel can be established. Check out all
the examples in /usr/share/example/ipfilter (if you have docs
installed) or search for IPFilter HOW-TO.
Vitaly
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-mobile
mailing list