IPFW Quickstart Guide

IPFW is a FreeBSD stateful firewall and packet filter. This quickstart guide outlines several useful commands and techniques to assist debugging IPFW.

Enable and start IPFW #

To enable IPFW at boot, add firewall_enable="YES" to /etc/rc.conf:

# sysrc firewall_enable="YES"

Start the firewall.

# service ipfw start

List all running rules. #

# ipfw list

Delete all rules. #

# ipfw -q -f flush

Disable and stop IPFW #

Stop the firewall.

# /etc/rc.d/ipfw stop

To disable the firewall, set the following option in /etc/rc.conf file:

firewall_enable="NO"

Example: Allow SSH and deny all others #

This example uses 192.0.2.123 as the server’s IP address.

Allow anything outbound from this address.

# ipfw -q add allow all from 192.0.2.123 to any out

Deny anything outbound from other addresses.

# ipfw -q add deny log all from any to any out

Allow TCP through if setup succeeded.

# ipfw -q add allow tcp from any to any established

Allow IP fragments

# ipfw -q add allow all from any to any frag

Allow inbound ssh

# ipfw -q add allow tcp from any to 192.0.2.123 22 setup

Everything else is denied and logged.

# ipfw -q add deny log all from any to any

Permanent vs. Temporary Rules #

It’s possible to make changes on-the-fly to the ipfw configuration without saving permanently. This causes a common issue; the server works as expected until the next reboot. Make sure you permanently save your configuration.

To make your rules permanent, put your rules into a file such as /etc/ipfw.conf, then add this to /etc/rc.conf:

firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

An example /etc/ipfw.conf to allow SSH and deny all others looks like this:

# ==========================================
# IPFW Example - Allow SSH, deny all other
# 192.0.2.123 is the example IP address
# ==========================================

# Allow anything outbound from this address.
add allow all from 192.0.2.123 to any out

# Deny anything outbound from other addresses.
add deny log all from any to any out

# Allow TCP through if setup succeeded.
add allow tcp from any to any established

# Allow IP fragments
add allow all from any to any frag

# Allow inbound ssh
add allow tcp from any to 192.0.2.123 22 setup

# Everything else is denied and logged.
add deny log all from any to any

More information #

See the IPFW documentation for more details.

Powered by BetterDocs