laptop firewall rules

Giorgos Keramidas keramida at ceid.upatras.gr
Mon Oct 31 06:44:11 PST 2005


On 2005-10-30 17:41, andy at neu.net wrote:
> Does anyone have a good example of a firewall ruleset for a wireless
> interface in a laptop, or a pointer to documentation?  I want to use
> IPFilter on 6.0 rc1.
I'd strongly recommend pf(4) over IP Filter.  The PF firewall
seems to have all the features IP Filter has and it's also better
maintained, AFAIK.

> I want to let all connections out and keep state, but block all
> incoming from the outside.

Good idea.  I'm using a fairly restrictive set of firewall
rules, even in networks where my laptop has to use DHCP:

% # Firewall rules for the pf(4) firewall.
% # Giorgos Keramidas <keramida at freebsd.org>
% #
% # Based on:
% #	$FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $
% #	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
% 
% set block-policy return
% set require-order yes
% set skip on lo0
% 
% scrub in all
% 
% ### Packet filtering:
% 
% block in  log all
% block out log all
% 
% # Allow all ICMP packets.
% # They are mostly useful and rate-limited by the kernel anyway.
% pass in  proto icmp all
% pass out proto icmp all
% 
% # Allow all outgoing connections.
% pass out proto { tcp, udp } all keep state (no-sync)
% 
% # Allow some incoming connections.
% pass in proto tcp from any to any port = 22 keep state (no-sync)

Note that, skipping the PF options near the beginning and the
"(no-sync)" options that are PF-specific, you can almost
certainly use the same ruleset for IP Filter.

- Giorgos



More information about the freebsd-questions mailing list