Ipfirewall (ipfw) is a FreeBSD IP packet filter and traffic accounting facility. It is included in the basic FreeBSD install as a separate run time loadable module. The system will dynamically load the kernel module when the rc.conf statement firewall_enable="YES" is used
The first step in managing your ipfw is to see if it is compiled and active in your running kernel. You can run a simple listing of the active firewall rules to find out:
# ipfw list
All of your rules should be listed in sequence. If you receive an error, you may need to enable your firewall or recompile the kernel with ipfw support.
Your firewall rules are going to be located in your /etc directory, and often come in a variety of similar names:
ipfw -q -f flush will remove all rulesets except for the default. You can either edit this file manually to create persistent connections when the firewall restarts, or use the
ipfw -q command to add rules live (these rules will disappear when the firewall restarts). Rules are formed using the following syntax:
CMD RULE_NUMBER ACTION LOGGING SELECTION STATEFUL
Here are a few quick examples:
# ipfw -q -f flush # ipfw -q add check-state # ipfw -q add deny all from any to any frag # ipfw -q add deny tcp from any to any established # ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state # ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state # ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state
Once finished, just restart your firewall daemon to make the changes live:
# /etc/rc.d/ipfw restart
For a more comprehensive resource, refer to the FreeBSD Handbook, Chapter 30: Firewalls.