====== ipfw =======

===== allow forwarding =====
^ /etc/rc.conf ^
| gateway_enable="YES" |
<code>sysctl net.inet.ip.forwarding=1</code>


===== allow L2 filtering=====
<code>sysctl net.link.ether.ipfw=1

$ipfw add allow all from any to any layer2 mac-type arp in
$ipfw add allow all from any to any layer2 mac-type arp out

$ipfw add deny all from any to me mac any 00:a0:98:f5:4c:fb

$ipfw add allow all from me to any mac any any
$ipfw add allow all from any to me mac any any
</code>

  * silent mode
<code>ipfw="ipfw -q"</code>

===== Limit packet size =====
<code>$ipfw add deny icmp from any to me in iplen 500-65535</code>

===== stateful firewall =====
  * //check-state// checks for dynamically created rules by //keep-state//
  * //setup// matches TCP packets that have SYN flag on, but no ACK (new connections)
<code>$ipfw add check-state :FORWARD

$ipfw add deny tcp from any to any established
$ipfw add allow tcp from $lan_net to any setup keep-state :FORWARD
$ipfw add deny tcp from any to any

$ipfw add allow udp from $lan_net to any keep-state :FORWARD
$ipfw add deny udp from any to any

$ipfw add allow ip from $lan_net to any keep-state :FORWARD
$ipfw add deny ip from any to any
</code>

===== anti-spoofing =====
<code>$ipfw add deny ip from any to any not verrevpath in
$ipfw add deny ip from any to any not antispoof in</code>