ipfw
allow forwarding
| /etc/rc.conf |
| gateway_enable=“YES” |
sysctl net.inet.ip.forwarding=1
allow L2 filtering
sysctl net.link.ether.ipfw=1
$ipfw add allow all from any to any layer2 mac-type arp in
$ipfw add allow all from any to any layer2 mac-type arp out
$ipfw add deny all from any to me mac any 00:a0:98:f5:4c:fb
$ipfw add allow all from me to any mac any any
$ipfw add allow all from any to me mac any any
ipfw="ipfw -q"
Limit packet size
$ipfw add deny icmp from any to me in iplen 500-65535
stateful firewall
check-state checks for dynamically created rules by keep-state
setup matches TCP packets that have SYN flag on, but no ACK (new connections)
$ipfw add check-state :FORWARD
$ipfw add deny tcp from any to any established
$ipfw add allow tcp from $lan_net to any setup keep-state :FORWARD
$ipfw add deny tcp from any to any
$ipfw add allow udp from $lan_net to any keep-state :FORWARD
$ipfw add deny udp from any to any
$ipfw add allow ip from $lan_net to any keep-state :FORWARD
$ipfw add deny ip from any to any
anti-spoofing
$ipfw add deny ip from any to any not verrevpath in
$ipfw add deny ip from any to any not antispoof in