Enabling IPFW
# /etc/rc.conf
firewall_enable="YES"
firewall_type="workstation" # or "open", "client", "simple", "closed"
firewall_script="/etc/ipfw.rules" # Custom rules
# For NAT
firewall_nat_enable="YES"
# Start IPFW
service ipfw start
Basic Commands
# View rules
ipfw list
ipfw show # With counters
# Flush all rules (careful!)
ipfw flush
# Add rule
ipfw add 100 allow tcp from any to me 22
# Delete rule
ipfw delete 100
# Zero counters
ipfw zero
Rule Syntax
# Format: ipfw add [number] action proto from src to dst [options]
# Allow SSH inbound
ipfw add 100 allow tcp from any to me 22 in
# Allow established connections
ipfw add 200 allow tcp from any to any established
# Deny all else
ipfw add 65000 deny all from any to any
Custom Rules File
#!/bin/sh
# /etc/ipfw.rules
# Flush existing rules
ipfw -q flush
# Allow loopback
ipfw add 10 allow all from any to any via lo0
# Allow established connections
ipfw add 100 check-state
ipfw add 200 allow tcp from any to any established
# Allow outbound (with state)
ipfw add 300 allow tcp from me to any setup keep-state
ipfw add 310 allow udp from me to any keep-state
ipfw add 320 allow icmp from me to any keep-state
# Allow inbound SSH
ipfw add 400 allow tcp from any to me 22 setup keep-state
# Allow inbound HTTP/HTTPS
ipfw add 410 allow tcp from any to me 80,443 setup keep-state
# Allow ping
ipfw add 500 allow icmp from any to me icmptypes 8
# Deny everything else
ipfw add 65000 deny log all from any to any
NAT with IPFW
# /etc/rc.conf
gateway_enable="YES"
firewall_nat_enable="YES"
firewall_nat_interface="em0"
# Or in rules file
ipfw nat 1 config if em0 reset
ipfw add 100 nat 1 ip from 192.168.1.0/24 to any via em0
ipfw add 200 nat 1 ip from any to me via em0
Logging
# Enable logging
sysrc firewall_logging="YES"
# Log denied packets
ipfw add 65000 deny log all from any to any
# View logs
dmesg | grep IPFW
tail -f /var/log/security
intermediate | Networking | Updated 2025-01-15
- freebsd
- ipfw
- firewall
- security
- packet filter