Ввиду большого кол-ва вопросов по данной теме (как правило, со стороны людей вроде меня :) ) привожу мои работающие конфиги:
/etc/rc.confgateway_enable="YES"
#x.x.x.x - ip шлюза, предоставленного провом
defaultrouter="x.x.x.x"
hostname="my_hostname"
ifconfig_xl0="inet 192.168.2.251 netmask 255.255.255.0"
ifconfig_xl1="inet x.x.x.y netmask 255.255.255.248"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
#natd
natd_enable="YES"
natd_interface="xl1"
#firewall
firewall_enable="YES"
firewall_type="/usr/local/etc/firewall.conf"
#firewall_type="OPEN"
#named
named_enable="YES"
Теперь ipfw-скрипт (/usr/local/etc/rc.d/firewall.sh):
Повторяю: взял отсюда http://freebsd.vinf.ru/doc/en/books/handbook/firewalls-ipfw....
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 800"
pif="xl1" # public interface name of NIC
$cmd 005 allow all from any to any via xl0
$cmd 010 allow all from any to any via lo0
$cmd 014 divert natd ip from any to any in via $pif
$cmd 015 check-state
$cmd 020 $skip tcp from any to 195.5.128.130 53 out via $pif setup keep-state
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
$cmd 080 $skip icmp from any to any out via $pif keep-state
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow in standard www function because I have Apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
