6. Firewall

FreeBSD does not use Linux® IPTABLES for its firewall. Instead, FreeBSD offers a choice of three kernel level firewalls:

PF is developed by the OpenBSD project and ported to FreeBSD. PF was created as a replacement for IPFILTER and its syntax is similar to that of IPFILTER. PF can be paired with altq(4) to provide QoS features.

This sample PF entry allows inbound SSH:

pass in on $ext_if inet proto tcp from any to ($ext_if) port 22

IPFILTER is the firewall application developed by Darren Reed. It is not specific to FreeBSD and has been ported to several operating systems including NetBSD, OpenBSD, SunOS, HP/UX, and Solaris.

The IPFILTER syntax to allow inbound SSH is:

pass in on $ext_if proto tcp from any to any port = 22

IPFW is the firewall developed and maintained by FreeBSD. It can be paired with dummynet(4) to provide traffic shaping capabilities and simulate different types of network connections.

The IPFW syntax to allow inbound SSH would be:

ipfw add allow tcp from any to me 22 in via $ext_if

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.