laptop firewall rules

Vitaly Cherny vitaly.cherny at
Tue Nov 1 15:01:11 PST 2005

On 10/31/05, andy at <andy at> wrote:
> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation?  I want to use
> IPFilter on 6.0 rc1.  I want to let all connections out and keep state,
> but block all incoming from the outside.

To do this with ipfilter rather than ipfw, try these rules for your
wireless interface (ath0 here):

pass out on ath0 proto tcp from any to any keep state
pass out on ath0 proto udp from any to any port = domain keep state
pass out on ath0 proto icmp from any to any keep state
block out on ath0 all

This will allow you to resolve hostnames and establish TCP sessions.
Since UDP and ICMP are stateless, the "keep state" directive just
means that a "response" packet (one that matches certain criteria -
e.g. source/destination ports) will be accepted as matching a "state".

If you are planning to use IPSec, add similar rules for "proto esp"
and "proto ah" so your IPSec tunnel can be established. Check out all
the examples in /usr/share/example/ipfilter (if you have docs
installed) or search for IPFilter HOW-TO.

freebsd-questions at mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

More information about the freebsd-mobile mailing list