One of the best things about the Pi is that it's small, and portable. It's very tempting to use it on wireless networks, unattended. Sadly, in the real world, any wireless network can be hacked, and any device on wireless should be considered vulnerable. So, pf is an easy way to harden your Pi.
The first thing you'll need is a FreeBSD Pi install, which has the pf device in the kernel. You can get that here, or just build yourself a kernel with pf.
Then, you will need some simple rules. I used these rules in the file "/etc/pf.conf"
# options set block-policy return set optimization conservative # normalization scrub in all scrub out all # default, deny everything block in log all pass out quick #icmp pass out inet proto icmp from any to any keep state pass in quick inet proto icmp from any to any keep state #ssh pass out inet proto tcp from any to any port 22 keep state pass in quick inet proto tcp from any to any port 22 keep state #localhost pass in quick on lo0 all pass out quick on lo0 all
Simply; I block everything other than ssh, icmp (ping).
In order to load the rules:
pfctl -f /etc/pf.conf
and to show the current status of the packet filter:
pfctl -s all
You'll want FreeBSD to load your pf rules when it starts, so add the below to "/etc/rc.conf"