FreeBSD Firewall Configuration Guide

Jul 19, 2023 • FreeBSDSoftware

Accomplishing secure network communication is critical in today’s digital world. Various tools and techniques can accomplish this, with the firewall being a crucial part. In this regard, FreeBSD stands out due to its well-regarded firewall tools, such as IPFW, PF, and IPFilter. This article provides a comprehensive guide to configuring firewall in FreeBSD.

This task might seem complicated, but with proper understanding and guidance, it becomes manageable. We recommend reading our blog on FreeBSD System Administration as a prerequisite to fully grasp this guide.

Introduction to Firewall in FreeBSD

A firewall acts as a security barrier that controls and monitors incoming and outgoing network traffic under certain predefined security rules. Introduction to Networking on FreeBSD provides a deep understanding on FreeBSD networking tools.

FreeBSD supports several types of firewalls; however, the most commonly used are IPFW (IP FireWall), PF (Packet Filter), and IPFilter. We will provide an in-depth guide on configuring these firewalls.

Configuring IPFW

IPFW is a stateful firewall integrated into the FreeBSD operating system. It uses rules to inspect network traffic packets and decide what to do with them. To get a deep understanding of various commands, visit our blog Understanding Basic Commands in FreeBSD.

Installing IPFW involves using the enable_firewall option in /etc/rc.conf file:

printf 'firewall_enable="YES"' >> /etc/rc.conf

To ensure IPFW is enabled at startup:

sysrc firewall_enable=yes

IPFW Rule Sets

Rules in IPFW are read from the top to bottom. When a packet matches a rule, that rule’s action is triggered. If no rules are matched, the default action is called.

Rules can be added using the command:

ipfw add [rule number] [action] [protocol] from [source IP] [source port] to [destination IP] [destination port]

You can also create a script in /etc/ipfw.rules and load your rules from it. The blog Exploring FreeBSD System Configuration can give you additional information.

For any changes in rules, restart the firewall:

service ipfw restart

Remember, a well-secured firewall is only part of a secure system. For more tips on FreeBSD security, refer to our blog Best Practices for System Hardening and Security in FreeBSD.

Configuring PF

PF, another stateful firewall, is native to OpenBSD but was later ported to FreeBSD. The installation of PF is similar to IPFW. The configuration is done in /etc/pf.conf file.

To add rules in PF, use the following command:

block in all 
pass out all keep state

Restart PF to implement changes:

/etc/rc.d/pf restart 

Configuring IPFilter

IPFilter is a software package that can provide network address translation (NAT) and firewall services. Configure IPFilter in /etc/ipf.rules file.

To load rules, use the command:

ipf -Fa -f /etc/ipf.rules

A detailed understanding of IPFilter can be achieved by referring to Implementing Firewalls for Security in FreeBSD.


Understanding and effectively implementing FreeBSD firewall configurations ensure a robust security system. Whether you prefer IPFW, PF, or IPFilter, FreeBSD provides you the flexibility to choose. Keep following our other blogs like FreeBSD Network Configuration and Troubleshooting to grasp more about FreeBSD’s varied functionalities.

Checkout these related ports: