Search This Blog


IPFW Firewall Rules

I recently had to add firewall rules to a FreeBSD box. This was unfamiliar for me as I'm used to either firewalld or iptables in linux.

But the process is actually pretty straight forward after you get used to the syntax.

All I'm going to do in this post is show an example firewall rule and reference the site I used for reference.

I think the number 1 common mistake I made was just making an ipfw rule without specifying the number ordering.

This caused the ipfw rule to be added after the allow all rule that was already set.

So I manually added a number that was earlier than the allow rule

The following command will add a rule which will
deny all traffic from a specific IP from coming into my machine via em1

ipfw -q add 64999 deny all from to any via em1

The below will delete that same rule

ipfw -q delete 64999

Here is the reference I used to figure this out

1 comment:

  1. To be fair, I haven't used IPFW since PF was ported, but all that hacking around in services files, rc.conf, etc... seems like a lot of work. PF you just enable it in rc.conf, edit /etc/pf.conf, and then run: pfctl -f /etc/pf.conf to load the rules. It will manage ICMP, UDP and TCP out of the box. A basic starter pf.conf is in /usr/share/examples/pf/pf.conf . Copy to /etc/pf.conf, change device names if needed, edit what's needed and go from there. sshguard piece is cool and it supports PF as well via sshguard-pf. Using pfctl you can add / remove VPN IPs from PF tables manually as well as via web scripts, other scripts or even remote SSH commands.