FreeBSD Firewalls: Ultimate Guide for 2023

Are you concerned about the security of your network? Look no further! FreeBSD firewalls have got you covered.

With their robust features and rock-solid reliability, they are the ultimate defense against cyber threats. But how did FreeBSD firewalls come to be? Let’s take a quick trip down memory lane.

FreeBSD, an open-source operating system derived from Berkeley Software Distribution (BSD), has a rich history in firewall development.

Its flexibility and versatility make it a popular choice for implementing secure networks.

Whether it’s using the loopback interface or shell scripts for customization or leveraging the power of vtnet0 interfaces, FreeBSD offers unparalleled control over network traffic.

Linux may be a household name, but FreeBSD firewalls bring their unique advantages to the table. So why wait?

Let’s dive into the world of FreeBSD firewalls and fortify your network against any state entry that dares to threaten its integrity.

FreeBSD Firewalls: Ultimate Guide _ firewall basics

Video: What is a Firewall?

Understanding Firewall Basics:

Firewalls play a crucial role in protecting networks by filtering incoming and outgoing traffic.

How Firewalls Work to Protect Networks

Firewalls act as a barrier between an internal network and the external internet.

They examine all incoming and outgoing packets of data, determining whether to allow or block them based on predefined rules.

By doing so, firewalls prevent unauthorized access and protect against malicious activities.

A key aspect of firewalls is their ability to differentiate between inbound and outbound traffic filtering.

Inbound vs Outbound Traffic Filtering

Inbound traffic refers to data coming from external sources attempting to access resources within the internal network.

Outbound traffic, on the other hand, originates from within the internal network and is destined for external destinations.

Firewalls employ different techniques for each type of filtering:

  1. Inbound Traffic Filtering: When examining incoming traffic, firewalls focus on protecting the internal network from potential threats.

    They analyze packets based on various criteria such as source IP addresses, port numbers, protocols (e.g., TCP or UDP), and specific application-level information (e.g., FTP).

  2. Outbound Traffic Filtering: Outgoing packets are scrutinized to ensure that no unauthorized or potentially harmful information leaves the local network.

    Firewalls monitor these packets for any suspicious activity or attempts to transmit sensitive data without proper authorization.

Common Firewall Terms: Rules, Policies, and Zones

To effectively configure firewalls, it is essential to understand some common terms associated with them:

  1. Firewall Rules: These are predefined instructions that dictate how a firewall should handle incoming and outgoing packets based on specific criteria such as source/destination IP addresses, ports, protocols, or application-level details.

    Firewall rules provide granular control over network traffic.

  2. Policies: A policy represents a set of rules that collectively define the overall behavior of a firewall.

    Policies help administrators manage and enforce security measures consistently throughout the network.

  3. Zones: Firewalls often divide networks into different zones, each with its own set of security requirements.

    For example, an internal network zone may have more permissive rules compared to an external zone exposed directly to the internet.

Understanding these terms allows administrators to configure firewalls effectively and tailor them to their specific network requirements.

Video: Set up a firewall on FreeBSD with PF!

Comparing FreeBSD’s Firewall Options:

IPFW, PF, and IPFilter on FreeBSD

You have several options available. Each of these firewalls has its own strengths and weaknesses, so let’s dive into the details.


IPFW (Internet Protocol Firewall) is the default firewall option included with FreeBSD.

It offers a wide range of features and flexibility, making it suitable for both simple and complex network setups.

With IPFW, you can create rules based on source and destination addresses, ports, protocols, and more.


  • Easy to set up and configure

  • Offers granular control over network traffic

  • Supports advanced features like stateful packet inspection

  • Well-documented with plenty of online resources available


  • Less actively maintained compared to other options

  • Limited community support

  • May not be as performant as some alternatives


PF (Packet Filter) is another popular firewall choice for FreeBSD systems.

Originally developed for OpenBSD but later ported to other BSD variants including FreeBSD, PF provides powerful filtering capabilities along with network address translation (NAT) functionality.


  • Highly configurable with a flexible rule syntax

  • Excellent performance even under heavy loads

  • Supports various advanced features like traffic shaping and queueing

  • Active development community with regular updates


  • Steeper learning curve compared to other firewalls

  • Documentation can be overwhelming for beginners

  • Requires additional configuration steps for certain functionalities


IPFilter is a mature firewall solution that has been around for many years.

It offers a straightforward rule language that allows you to define filtering criteria based on source/destination addresses, ports, protocols, etc. While not as widely used as IPFW or PF, it remains a viable option for FreeBSD users.


  • Lightweight and efficient

  • Simple rule syntax that is easy to understand

  • Provides good performance even on older hardware

  • Stable and reliable


  • Limited community support and resources available

  • Not as actively maintained as some other firewalls

  • Lacks some advanced features found in IPFW and PF

Community Support and Future Development Prospects

When choosing a firewall for your FreeBSD system, community support and future development prospects are crucial factors to consider.

While all three firewalls discussed above have their own user communities, the level of support and ongoing development varies.

IPFW, being the default firewall option, benefits from a larger user base but has seen less active development in recent years.

However, it still receives bug fixes and updates from the FreeBSD project.

PF has a vibrant community surrounding it, with regular updates and improvements being made by both the OpenBSD team and FreeBSD maintainers.

This ensures ongoing support and future enhancements.

On the other hand, IPFilter’s community is relatively smaller compared to the other two options.

While it may not receive frequent updates or new features, its stability makes it a suitable choice for those seeking simplicity without sacrificing security.

Video: FreeBSD 13.1 – Setup PF Firewall

Configuring and Setting up the PF Firewall on FreeBSD:

Step-by-step guide to installing PF on a FreeBSD system

To configure and set up the PF firewall on your FreeBSD system, follow these simple steps:

  1. Open a terminal window and log in as the root user.

  2. Check if PF is already installed by running the following command:

    # pfctl -V

    If it’s not installed, you can install it using the following command:

    # pkg install pf

  3. Once PF is installed, you need to enable it at system startup. Open the /etc/rc.conf file with your preferred text editor.

  4. Add the following line to enable and start PF at boot:

  5. Save and close the file.

  6. Now, let’s move on to configuring the PF firewall rules using its configuration file located at /etc/pf.conf. Open this file in your text editor.

  7. The configuration file follows a specific structure for defining firewall rules.
    Each rule consists of several components, including source/destination addresses, ports, protocols, and actions.

  8. To allow incoming HTTP traffic (port 80) from any source IP address, add the following rule to your pf.conf file:

    pass in proto tcp from any to any port 80

  9. Similarly, you can create rules for other services or protocols based on your requirements.

  10. After modifying the pf.conf file, save it and exit your text editor.

  11. To load and activate these new rules immediately without rebooting, run the following command:

    # pfctl -f /etc/pf.conf

  12. Congratulations! You have successfully configured and set up the PF firewall on your FreeBSD system.

Explaining the configuration file structure for PF firewall rules

The configuration file for PF firewall rules, /etc/pf.conf, plays a crucial role in defining how the firewall behaves.

It uses a simple yet powerful syntax that allows you to specify various aspects of network traffic filtering.

The basic structure of a rule consists of the following components:

  • Action: Determines what should happen with matching packets (e.g., pass to allow, block to deny).

  • Direction: Specifies whether the rule applies to incoming (in) or outgoing (out) traffic.

  • Protocol: Defines the protocol used by the packet (e.g., TCP, UDP).

  • Source/Destination Addresses and Ports: Specify the source and destination IP addresses and ports involved in the rule.

  • Options: Additional options can be added to further refine the rule’s behavior.

By understanding this structure, you can create complex rules to meet your specific needs.

Remember to always test your rules thoroughly before applying them in a production environment.

Demonstrating how to enable PF at system startup

Enabling PF at system startup ensures that your FreeBSD system automatically starts using the configured firewall rules without any manual intervention.

To enable PF at system startup:

  1. Open the /etc/rc.conf file using your preferred text editor.

  2. Add or modify the following line:


  3. Save and close the file.

Video: FreeBSD 13.1 – Setup IPFW Firewall

Building a Base Ruleset for PF Firewall

Creating a solid base ruleset is essential when configuring the PF firewall on your FreeBSD system.

By establishing a strong foundation, you can effectively filter incoming and outgoing traffic, ensuring optimal security for your network.

Basic Rules for Incoming and Outgoing Traffic

When setting up your firewall ruleset, it is crucial to define how you want to handle both incoming and outgoing traffic. To begin, let’s focus on incoming traffic.

The first rule in your preliminary ruleset should typically be a “pass” rule that permits established connections:

pass in quick on $ext_if proto { tcp, udp } from any to any keep state

This rule allows packets related to existing connections to pass through the firewall without further inspection.

Next, you may want to consider blocking specific ports or services that are not required by your system.

For example, if SSH access is only necessary from certain IP addresses, you can create a filter rule like this:

block in on $ext_if proto tcp from any to $your_ip port ssh

Here, we are blocking incoming SSH connections from any source IP except for the specified $your_ip.

Moving on to outgoing traffic, it is generally recommended to have an explicit “block all” rule as the last entry in your ruleset:

block out quick all

This ensures that any outbound packets not explicitly allowed by previous rules will be dropped.

Best Practices for Rule Ordering and Syntax

Maintaining proper rule ordering and syntax is crucial for an effective PF configuration. Here are some best practices to consider:

  1. Place more specific rules before general ones: It’s important to order your rules so that more specific conditions are evaluated before general ones.

  2. Utilize dynamic rules: Instead of hardcoding IP addresses or network ranges, consider using dynamic rules that adapt to changing conditions.

  3. Assign rule numbers: Numbering your rules can help with organization and troubleshooting.

  4. Set a default policy: Define a default policy for packets that do not match any rules in your list.

Addressing Common Scenarios

When building your PF ruleset, it’s essential to address common scenarios such as allowing SSH access or blocking specific ports. Here are some examples:

  • Allowing SSH access from a specific IP range:

pass in on $ext_if proto tcp from $allowed_ips to $your_ip port ssh

  • Blocking incoming connections on a specific port:

block in on $ext_if proto { tcp, udp } from any to any port $blocked_port

Remember, these examples are just starting points, and you should tailor them according to your specific requirements.

Video: Fun with FreeBSD: Make Your Own Mini-Cloud

Utilizing Overload Tables for Enhanced Security:

Overload tables are a powerful feature in the PF firewall that can greatly enhance the security of your FreeBSD system.

By effectively managing network connections, overload tables provide an additional layer of defense against various threats, such as Denial-of-Service (DoS) attacks and unauthorized access attempts.

An overload table is essentially a dynamic state table that allows you to define specific rules for handling incoming network traffic.

It acts as a mechanism to control the flow of connections based on various criteria, such as source IP addresses or subnets.

By utilizing overload tables, administrators gain granular control over network traffic and can effectively manage resource allocation.

Preventing DoS Attacks and Limiting Connections

One key application of overload tables is their ability to prevent DoS attacks by limiting the number of connections from specific IP addresses or subnets.

This functionality is particularly useful when dealing with brute force attacks where an attacker repeatedly attempts to gain unauthorized access by guessing passwords or exploiting vulnerabilities.

By configuring an overload table with appropriate rules, you can set limits on the number of connection attempts allowed from a particular source IP address within a specified time frame.

For example, you could restrict the maximum number of connection attempts per minute from a single IP address attempting to establish SSH connections.

This helps mitigate the risk posed by malicious actors attempting to exploit weak credentials through brute force techniques.

Configuring Overload Tables in PF Ruleset

To configure overload tables within your PF ruleset on FreeBSD, you need to define the desired table entries and associated parameters.

Here’s an example configuration snippet that demonstrates how overload tables can be implemented:

table <overload> persist block quick from <overload> pass in inet proto tcp from any to any port { 22, 80 } \ flags S/SA overload flush global

In this example, we define an overload table called <overload> and make it persistent across firewall restarts.

We then block incoming connections from IP addresses present in the overload table using the block quick directive.

To allow incoming TCP connections on ports 22 (SSH) and 80 (HTTP), we use the pass directive along with the inet proto tcp filter.

The flags S/SA option ensures that only SYN-ACK packets are considered for state tracking, while the overload flush global parameter enables dynamic state management for overloaded connections.

By customizing these configurations according to your specific requirements, you can effectively utilize overload tables to enhance security within your FreeBSD firewall.

Exploring In-Kernel NAT Instance Options in PF Firewall

Network Address Translation (NAT) is a crucial aspect of firewall configuration, allowing for the translation of IP addresses between different networks.

The PF firewall offers various options for configuring NAT instances within the kernel.

Overview of Network Address Translation (NAT) concepts

Before diving into the specifics of PF’s in-kernel NAT instance options, let’s take a moment to understand the fundamental concepts behind Network Address Translation.

NAT serves as a bridge between two networks by translating IP addresses and ports. It enables multiple devices within a private network to share a single public IP address when communicating with external networks.

Discussion on different types of NAT instances available in PF firewall

PF provides several types of NAT instances that can be configured within the kernel. These include:

  1. Source NAT (SNAT): SNAT allows for modifying the source IP address or port of outgoing packets from internal hosts.

  2. Destination NAT (DNAT): DNAT modifies the destination IP address or port of incoming packets destined for internal hosts.

  3. Static NAT: Static NAT establishes one-to-one mappings between specific internal and external IP addresses.

  4. Port Forwarding: Port forwarding forwards incoming traffic from an external network to a specific internal host based on predefined rules.

Each type has its own purpose and use case, providing flexibility in managing network traffic and securing your system.

Demonstrating how to configure NAT instances within a PF ruleset

Configuring NAT instances within a PF ruleset involves defining rules that specify how traffic should be translated at both the source and destination ends. Here’s an example configuration for SNAT:

nat pass on $ext_if from $int_net to any -> ($ext_if)

This rule instructs PF to pass traffic from the internal network ($int_net) to any external destination, translating the source IP address to the IP address of the external interface ($ext_if).

Similarly, configuring DNAT involves defining rules that specify how incoming traffic should be translated. Here’s an example configuration for DNAT:

rdr pass on $ext_if proto tcp from any to $ext_ip port $ext_port -> $int_ip

This rule forwards incoming TCP traffic from any source to a specific external IP address and port, redirecting it to an internal host with the IP address ($int_ip).

Key Takeaways from FreeBSD Firewalls:

In conclusion, understanding the basics of firewalls is crucial for implementing effective security measures on your FreeBSD system.

Comparing the firewall options available in 2021 allows you to make an informed decision based on your specific needs.

Configuring and setting up the PF firewall on FreeBSD requires careful attention to detail, but it provides a powerful tool for protecting your network.

Building a base ruleset for the PF firewall ensures that only desired traffic is allowed through while blocking potential threats.

Utilizing overload tables can enhance security by preventing malicious activity and managing network resources effectively.

Exploring in-kernel NAT instance options within the PF firewall offers additional flexibility for customizing your network setup.

To make the most of FreeBSD firewalls, keep these key takeaways in mind:

  1. Understand the fundamentals: Familiarize yourself with how firewalls work and their importance in safeguarding your system.

  2. Compare options: Evaluate different firewall choices available for FreeBSD to select one that aligns with your requirements.

  3. Configure with care: Take the time to properly set up and configure the PF firewall to ensure optimal protection.

  4. Establish a solid ruleset: Build a comprehensive ruleset that allows legitimate traffic while blocking potential threats.

  5. Leverage overload tables: Use overload tables effectively to enhance security and efficiently manage network resources.

  6. Explore advanced features: Consider utilizing in-kernel NAT instance options within PF firewall to customize your network setup further.

By following these guidelines, you can strengthen your network’s security and protect against potential cyber threats.


Q: Can I use multiple firewalls simultaneously on my FreeBSD system?

Yes, it is possible to use multiple firewalls simultaneously on FreeBSD by configuring each one separately according to its specific rules and requirements.

Q: Are there any performance considerations when using a firewall on FreeBSD?

Firewall performance depends on various factors such as hardware capabilities, rule complexity, and traffic volume. It is essential to regularly monitor and optimize your firewall configuration for optimal performance.

Q: Can I use the PF firewall on FreeBSD for both IPv4 and IPv6 traffic?

Yes, the PF firewall on FreeBSD supports both IPv4 and IPv6 traffic. You can configure rules to handle both types of network traffic effectively.

Q: How frequently should I update my firewall ruleset on FreeBSD?

Regularly updating your firewall ruleset is crucial to adapt to emerging threats and maintain an effective security posture. It is recommended to review and update your ruleset periodically or whenever significant changes occur in your network environment.

Q: Are there any graphical user interfaces (GUIs) available for managing FreeBSD firewalls?

Yes, several graphical user interfaces (GUIs) are available for managing FreeBSD firewalls, such as pfSense and OPNsense. These GUIs provide a user-friendly interface for configuring and monitoring firewalls on FreeBSD systems. Remember, implementing robust security measures with FreeBSD firewalls requires continuous vigilance and staying updated with the latest best practices in network security.

POSTED IN: Cloud Computing