# All I want is a simple ipf.rules firewall. Thats all I want



## neilms (Jul 3, 2010)

Hi,
I have a very simple setup. I am using a basic desktop pc and I want to set up a ipf firewall to give me added protection. I use my pc for regular desktop, homeuser stuff:
email, web browsing, bit torrent, nothing weird.

I had botched up some firewall rules - but found they stopped me from downloading anything using pkg_add! Also, I could not use this if i want to download bit torrent stuff. Here are the botched rules that I used:


```
# Allow all else to port 80
pass in quick on rl0 proto tcp from any to any port = 80

# block all other ssh src
block in log quick on rl0 proto tcp from any to any port = 22

# Block tiny IP frags
block in quick on rl0 all with frags

# Block short tcp packets
block in quick on rl0 proto tcp all with short

# block source routed packets
block in quick on rl0 all with opt lsrr
block in quick on rl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on rl0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on rl0 all with ipopts

# Logging incoming mail ports TCP 25,  587 and 22
pass in log quick on rl0 proto tcp from any to any port = 25
# pass in log quick on xl0 proto tcp from any to any port = 587
# pass in log quick on xl0 proto tcp from any to any port = 22

# loopback in/out:
pass in quick on lo0 all
pass out quick on lo0 all

# Allow all outgoing ssh
pass out quick on rl0 proto tcp from any to any port = 22 flags S keep frags keep state

####   Then allow other web visitors   ####
pass in quick on rl0 proto tcp from any to any port = 80 flags S keep frags keep state
pass out quick on rl0 proto tcp from any to any port = 80 flags S keep frags keep state

####   Allow DNS lookups   ####
pass out quick on rl0 proto udp from any to any port = 53 keep state keep frags

# Allow other requests out like ftp, icmp, udp.
# The UDP below probably duplicates dns lookups allow above.
# pass out quick on xl0 proto tcp from any to any keep frags keep state
pass out quick on rl0 proto tcp from any to any flags S keep frags keep state
pass out quick on rl0 proto udp from any to any keep state keep frags
pass out quick on rl0 proto icmp from any to any keep state
pass out quick on rl0 from 10.5.1.10 to any

# Dump all else. Who need them? (Block by default)
block in log quick on rl0 all
block out quick on rl0 all
```

Please can anyone tell me how to change so:
1. I can download all freebsd related updates such as using portsnap, cvs, pkg_add etc
2. Download bittorrents

Also, do I need to have 'sendmail' enabled as a service listening if I use only pop3 email??


----------

