Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!

Setup a Firewall with IPFW on FreeBSD 12

profile picture
Author
youiopmop
Published
2019-06-24
Time to read
4 minutes reading time

Introduction

Having a firewall on your server is an extra step that you can take to increase security.

This tutorial will show you how to setup a firewall on FreeBSD 12 with the built in program ipfw; no extra software needs to be installed. Other firewalls like pf and ipfilter are also included by default in FreeBSD but this tutorial will focus solely on ipfw.

  • It is assumed that you are running as the root user during this guide. Use su to change to root if you are not running as root already.

Prerequisites

  • A FreeBSD 12 server with root access.

Step 1 - Setting up IPFW

To start, edit the file /etc/rc.conf with a text editor of your preference.

Add the following lines to the file:

firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_allowservices="any"
firewall_myservices="22/tcp"
firewall_logdeny="YES"

This will setup a firewall using workstation as the type of firewall, and denying access to all ports from outside hosts except for the default ssh port; port 22.

If you have changed the default SSH port from 22 to something else, edit the above to reflect that change or you may lock yourself out of your server when you start the firewall. In case you did this, just reboot into a rescue system or LiveCD and edit /etc/rc.conf.

Make sure to add any other ports or services (from /etc/services) that you need to access into firewall_myservices.

Step 2 - Starting IPFW

To start the firewall, run the following command as root:

service ipfw start

IPFW should now be working and setup to start itself on boot, to check if it is working you may follow the next step.

Step 3 - Checking Port with Nmap (Optional)

To test that IPFW is working correctly, you can use a program called nmap.

This will need to be run from a different computer to the server with the firewall setup

On most Linux & BSD systems nmap can be installed using the default package manager. Windows and macOS binaries can be downloaded from nmap.org.

For example, to test if ports 22 and 80 are remotely accessible on the server's IP address of 10.0.0.1

nmap -p 22,80 10.0.0.1

It will give an output similiar to this:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-15 12:00 UTC
Nmap scan report for 10.0.0.1
Host is up (0.1s latency).

PORT   STATE    SERVICE
22/tcp open     ssh
80/tcp filtered http

Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds

The above shows that port 22 is open and accessible, however port 80 is filtered and not accessible.

To scan for UDP ports on your server, just add the -sU option to your nmap scan.

Conclusion

Congrats!! You should now have a working firewall on FreeBSD 12 that can help protect your server from unwanted intruders. For further configuration of IPFW, please look at the IPFW documentation

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Report Issue
Try Hetzner Cloud

Get €20/$20 free credit!

Valid until: 31 December 2025 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more