Article

Table of Contents
Theme:
Was this article helpful?
Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $300 by adding new articles!

IPFW Quickstart Guide

Last Updated: Mon, Apr 13, 2020
Quickstart Guides Security System Admin

IPFW is a FreeBSD stateful firewall and packet filter. This quickstart guide outlines several useful commands and techniques to assist debugging IPFW.

Enable and start IPFW

To enable IPFW at boot, add firewall_enable="YES" to /etc/rc.conf:

# sysrc firewall_enable="YES"

Start the firewall.

# service ipfw start

List all running rules.

# ipfw list

Delete all rules.

# ipfw -q -f flush

Disable and stop IPFW

Stop the firewall.

# /etc/rc.d/ipfw stop

To disable the firewall, set the following option in /etc/rc.conf file:

firewall_enable="NO"

Example: Allow SSH and deny all others

This example uses 192.0.2.123 as the server's IP address.

Allow anything outbound from this address.

# ipfw -q add allow all from 192.0.2.123 to any out

Deny anything outbound from other addresses.

# ipfw -q add deny log all from any to any out

Allow TCP through if setup succeeded.

# ipfw -q add allow tcp from any to any established

Allow IP fragments

# ipfw -q add allow all from any to any frag

Allow inbound ssh

# ipfw -q add allow tcp from any to 192.0.2.123 22 setup

Everything else is denied and logged.

# ipfw -q add deny log all from any to any

Permanent vs. Temporary Rules

It's possible to make changes on-the-fly to the ipfw configuration without saving permanently. This causes a common issue; the server works as expected until the next reboot. Make sure you permanently save your configuration.

To make your rules permanent, put your rules into a file such as /etc/ipfw.conf, then add this to /etc/rc.conf:

firewall_enable="YES"
firewall_type="/etc/ipfw.conf"

An example /etc/ipfw.conf to allow SSH and deny all others looks like this:

# ==========================================
# IPFW Example - Allow SSH, deny all other
# 192.0.2.123 is the example IP address
# ==========================================

# Allow anything outbound from this address.
add allow all from 192.0.2.123 to any out

# Deny anything outbound from other addresses.
add deny log all from any to any out

# Allow TCP through if setup succeeded.
add allow tcp from any to any established

# Allow IP fragments
add allow all from any to any frag

# Allow inbound ssh
add allow tcp from any to 192.0.2.123 22 setup

# Everything else is denied and logged.
add deny log all from any to any

More information

See the IPFW documentation for more details.

Want to contribute?

You could earn up to $300 by adding new articles