Label ipfw_firewall ProgramArguments /Users/blah/bin/ipfw_firewall.sh RunAtLoad UserName root GroupName wheel - in my ~/bin directory the ipfw_firewall.sh looks like this: #!/bin/sh ## Boot Script for firewall # # CONSTANTS # IPFW=/sbin/ipfw SYSCTL=/usr/sbin/sysctl # # Required startup script statements # . /etc/rc.common ConsoleMessage "Configuring Firewall" # # Enable logging to /var/log/ipfw.log # /usr/libexec/ipfwloggerd $SYSCTL -w net.inet.ip.fw.verbose=2 $SYSCTL -w net.inet.ip.fw.verbose_limit=100 # # Enable Blackholes # $SYSCTL -w net.inet.tcp.blackhole=2 $SYSCTL -w net.inet.udp.blackhole=1 # # Purge existing rules, this blanks any existing rules # $IPFW -f flush # # Load rule set from /etc/ipfw.conf # $IPFW -q /etc/ipfw.conf - and last but not least the /etc/ipfw.conf file looks like this: ###################################################################### # Localhost Settings ###################################################################### # Allow everything on the localhost (127.0.0.1) add 00100 set 0 allow ip from any to any via lo* # Prevent spoofing attacks via localhost add 00200 set 0 deny log all from 127.0.0.0/8 to any in add 00201 set 0 deny log all from any to 127.0.0.0/8 in add 00202 set 0 deny log ip from 224.0.0.0/3 to any in add 00203 set 0 deny log tcp from any to 224.0.0.0/3 in ###################################################################### # ip-options # (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options) ###################################################################### add 00250 set 0 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr ###################################################################### # Allow outbound TCP, UDP & ICMP keep-state ###################################################################### add 00300 set 1 check-state add 00301 set 1 deny log all from any to any frag in add 00302 set 1 deny log tcp from any to any established add 00303 set 1 allow tcp from me to any out setup keep-state add 00304 set 1 allow udp from me to any out keep-state add 00305 set 1 allow icmp from any to any out keep-state # Allow traceroute out for diagnostics add 00307 set 1 allow udp from me to any 33434-33525 out keep-state add 00308 set 1 allow log udp from any to any 33434-33525 in keep-state # Prevent spoofing attacks add 00309 set 1 deny log ip from me to me in keep-state # Deny Inbound NetBios traffic which just clogs up the logs add 00311 set 1 deny tcp from any to any 137,138,139 in setup keep-state add 00312 set 1 deny udp from any to any 137,138,139 in keep-state # Prevent ident requests add 00313 set 1 deny log tcp from any to me 113 in setup keep-state # Attempt to prevent os fingerprinting, port 0 is commonly used for fingerprinting purposes add 00314 set 1 deny log tcp from any to any 0 in setup keep-state add 00315 set 1 deny log udp from any to any 0 in keep-state ###################################################################### # DNS, Rendevouz, DHCP & NTP Services ###################################################################### # Allow DNS add 00400 set 2 allow tcp from any to any 53 out setup keep-state add 00401 set 2 allow udp from any to any 53 out keep-state #Allow Rendezvous packets (mDNS Responder) add 00402 set 2 allow udp from any 5353 to any in keep-state #Multicast packet required by Rendezvous add 00403 set 2 allow ip from any to 224.0.0.251 out keep-state # Allow DHCP add 00500 set 2 allow udp from any 68 to any 67 out keep-state add 00501 set 2 allow log udp from any 67 to any dst-port 68 in keep-state # Allow NTP add 00600 set 2 allow udp from any to any 123 out keep-state add 00601 set 2 allow tcp from any to any 123 out setup keep-state ###################################################################### # Services Inbound ###################################################################### # Allow SSH inbound add 00700 set 3 count log tcp from any to any dst-port 22 in setup add 00701 set 3 allow tcp from any to any dst-port 22 in setup keep-state # Allow TCP 2456 inbound add 00710 set 3 allow log tcp from any to any dst-port 2456 in setup keep-state # Allow TCP 6881 inbound add 00720 set 3 allow log tcp from any to any dst-port 6881 in setup keep-state # Deny any TCP setup requests from the outside world add 00800 set 3 deny log tcp from any to any setup in keep-state ###################################################################### # ICMP ###################################################################### # Deny ICMP add 00900 set 4 deny log icmp from any to me in icmptypes 0,3,4,8,11,12 # Deny external ICMP redirect requests add 00901 set 4 deny log icmp from any to any icmptype 5 in keep-state # Silent block on router advertisements add 00902 set 4 deny log icmp from any to any icmptypes 9 # Drop all other ICMP add 00903 set 4 deny log icmp from any to any ###################################################################### # Cleanup ###################################################################### # Default deny rule add 10000 set 5 deny log logamount 500 all from any to any ######################################################################