laptop firewall rules
Giorgos Keramidas
keramida at ceid.upatras.gr
Mon Oct 31 06:44:11 PST 2005
On 2005-10-30 17:41, andy at neu.net wrote:
> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation? I want to use
> IPFilter on 6.0 rc1.
I'd strongly recommend pf(4) over IP Filter. The PF firewall
seems to have all the features IP Filter has and it's also better
maintained, AFAIK.
> I want to let all connections out and keep state, but block all
> incoming from the outside.
Good idea. I'm using a fairly restrictive set of firewall
rules, even in networks where my laptop has to use DHCP:
% # Firewall rules for the pf(4) firewall.
% # Giorgos Keramidas <keramida at freebsd.org>
% #
% # Based on:
% # $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $
% # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
%
% set block-policy return
% set require-order yes
% set skip on lo0
%
% scrub in all
%
% ### Packet filtering:
%
% block in log all
% block out log all
%
% # Allow all ICMP packets.
% # They are mostly useful and rate-limited by the kernel anyway.
% pass in proto icmp all
% pass out proto icmp all
%
% # Allow all outgoing connections.
% pass out proto { tcp, udp } all keep state (no-sync)
%
% # Allow some incoming connections.
% pass in proto tcp from any to any port = 22 keep state (no-sync)
Note that, skipping the PF options near the beginning and the
"(no-sync)" options that are PF-specific, you can almost
certainly use the same ruleset for IP Filter.
- Giorgos
More information about the freebsd-mobile
mailing list