The following document describes how to build your own BSD based firewall
1) Copy the GENERIC kernel to YOURKERNEL
root@machine# cd /usr/src/sys/i386/conf
root@machine# cp GENERIC YOURKERNEL
2) Compile the following into the kernel:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
2) Add the following if your “paranoid”
options TCP_RESTRICT_RST
options TCP_DROP_SYNFIN
3) Edit /etc/rc.conf to add the firewall:
firewall_enable=”YES”
firewall_script=”/etc/fw/fwruleset”
natd_enable=”YES”
natd_interface=”tun0″
natd_flags=”-dynamic”
4) Create your firewall ruleset in /etc/fw/fwruleset
root@machine# mkdir /etc/fw
root@machine# vi fwruleset
sample firewall ruleset
# Define firewall command
fwcmd=”/sbin/ipfw”
# Force flushing of current rules
$fwcmd -f flush
# Divert all packets through tunnel interface
$fwcmd add divert natd all from any to any via tun0
# Allow all data from local interfaces – change to your interface
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via fxp0
# Allow all connections we initiate
$fwcmd add allow tcp from any to any out xmit tun0 setup
# Allow connections that are open to stay open
$fwcmd add allow tcp from any to any via tun0 established
# Allow access to apache and ssh from the internet
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup
# Sends RESET to all ident packets
$fwcmd add reset log tcp from any to any 113 in recv tun0
# Only allow DNS queries to specified DNS servers
$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0
# Allow them back
$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0
# Allow ICMP
$fwcmd add 65435 allow icmp from any to any
# Deny rest
$fwcmd add 65435 deny log ip from any to any
Reboot your machine and you should have a fully functional firewall!