IPFW is a FreeBSD stateful firewall and packet filter. This quickstart guide outlines several useful commands and techniques to assist debugging IPFW.
To enable IPFW at boot, add firewall_enable="YES"
to /etc/rc.conf
:
# sysrc firewall_enable="YES"
Start the firewall.
# service ipfw start
# ipfw list
# ipfw -q -f flush
Stop the firewall.
# /etc/rc.d/ipfw stop
To disable the firewall, set the following option in /etc/rc.conf file:
firewall_enable="NO"
This example uses 192.0.2.123 as the server's IP address.
Allow anything outbound from this address.
# ipfw -q add allow all from 192.0.2.123 to any out
Deny anything outbound from other addresses.
# ipfw -q add deny log all from any to any out
Allow TCP through if setup succeeded.
# ipfw -q add allow tcp from any to any established
Allow IP fragments
# ipfw -q add allow all from any to any frag
Allow inbound ssh
# ipfw -q add allow tcp from any to 192.0.2.123 22 setup
Everything else is denied and logged.
# ipfw -q add deny log all from any to any
It's possible to make changes on-the-fly to the ipfw
configuration without saving permanently. This causes a common issue; the server works as expected until the next reboot. Make sure you permanently save your configuration.
To make your rules permanent, put your rules into a file such as /etc/ipfw.conf
, then add this to /etc/rc.conf
:
firewall_enable="YES"
firewall_type="/etc/ipfw.conf"
An example /etc/ipfw.conf
to allow SSH and deny all others looks like this:
# ==========================================
# IPFW Example - Allow SSH, deny all other
# 192.0.2.123 is the example IP address
# ==========================================
# Allow anything outbound from this address.
add allow all from 192.0.2.123 to any out
# Deny anything outbound from other addresses.
add deny log all from any to any out
# Allow TCP through if setup succeeded.
add allow tcp from any to any established
# Allow IP fragments
add allow all from any to any frag
# Allow inbound ssh
add allow tcp from any to 192.0.2.123 22 setup
# Everything else is denied and logged.
add deny log all from any to any
See the IPFW documentation for more details.
You could earn up to $300 by adding new articles