My FreeBSD ipfw Rules

Days ago I learnt ipfw firewall under FreeBSD. I found its rule is very simple. Its syntax is very similar to our speakings, we can understand it easily.

Of course, a lazy man like me will not learn it deeply. I just write my own rule after I learnt the syntax.

This configuration could be used at home, I open tcp, udp, ssh and e-mail ports. It is not very perfect, and there should be space for improvement. Please give me some advice.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/sh
/sbin/ipfw -q -f flush

# Allow Loopback Interface
/sbin/ipfw -q add 00010 allow all from any to any via lo0

# Allow packet through with dynamic rules
/sbin/ipfw -q add 00015 check-state

# Allow my access out
/sbin/ipfw -q add 00050 allow all from any to any keep-state
/sbin/ipfw -q add 00060 allow ip from me to any

# Allow access to DNS
/sbin/ipfw -q add 00100 allow tcp from any to 221.228.255.1 53 out setup keep-state
/sbin/ipfw -q add 00110 allow udp from any to 221.228.255.1 53 out keep-state

# Allow access to DHCP server
/sbin/ipfw -q add 00140 allow log udp from any to any 67 out keep-state

# Allow out non-secure standard www function
/sbin/ipfw -q add 00180 allow tcp from any to any 80 out setup keep-state
/sbin/ipfw -q add 00190 allow tcp from any to any 443 out setup keep-state
/sbin/ipfw -q add 00200 allow tcp from any to me 80 in setup limit src-addr 10
/sbin/ipfw -q add 00210 allow tcp from any to me 443 in setup limit src-addr 10

# Allow e-mail function
/sbin/ipfw -q add 00230 allow tcp from any to any 25 out setup keep-state
/sbin/ipfw -q add 00240 allow tcp from any to me 25 in setup limit src-addr 1
/sbin/ipfw -q add 00250 allow tcp from any to any 110 out setup keep-state
/sbin/ipfw -q add 00260 allow tcp from any to me 110 in setup limit src-addr 1

# Allow out FreeBSD functions
/sbin/ipfw -q add 00270 allow tcp from me to any out setup keep-state uid root

# Allow out ping
/sbin/ipfw -q add 00280 allow icmp from any to any out keep-state

# Allow out secure FTP, Telnet, and SCP by SSH
/sbin/ipfw -q add 00290 allow tcp from any to any 22 out setup keep-state

# Deny public pings
/sbin/ipfw -q add 00310 deny icmp from any to any in

# Allow in secure FTP, Telnet, and SCP from public Internet by SSH
/sbin/ipfw -q add 00410 allow tcp from any to me 22 in setup limit src-addr 2

# Allow FTP
/sbin/ipfw -q add 00500 allow tcp from any to me 21 in setup keep-state
/sbin/ipfw -q add 00510 allow tcp from me 20,21 to any out keep-state

# Deny all connections
/sbin/ipfw -q add 60000 deny log all from any to any