ipfirewall (ipfw)


ipfirewall or ipfw is a FreeBSD IP packet filter and traffic accounting facility. Its ruleset logic is similar to many other packet filters except IPFilter. ipfw is authored and maintained by FreeBSD volunteer staff members. Its syntax enables use of sophisticated filtering capabilities and thus enables professional users to satisfy advanced requirements. It can either be used as a loadable kernel module or incorporated into the kernel; use as a loadable kernel module where possible is highly recommended. ipfw is the built-in firewall of Mac OS X[1] and DragonFly BSD. Like FreeBSD, ipfw is open source. It is used in many FreeBSD-based firewall products, including m0n0wall and FreeNAS. A port of ipfw and the dummynet traffic shaper is available for linux, openwrt and Windows. wipfw is a Windows port of an old (2001) version of ipfw.


  1. Modify the ipfirewall ruleset and/or its supporting definition files. At next boot time, the modified rules will be read into the running kernel.
    % sudo vi /etc/ipfw.conf
    % sudo vi /etc/ipfw.local_isp
    % sudo vi /etc/ipfw.ub_nets
  2. Do not attempt to introduce the modified rules into the running kernel by restarting ipfw via its startup script. This can hang the machine, requiring a hard boot to recover (this happened most recently on Apr. 9, 2012).
    % sudo /etc/rc.d/ipfw restart
  3. Copy the modified rules that you added to ipfw.conf and run them from the command line to introduce them to the running kernel, e.g.:
    % sudo ipfw add 12090 allow ip from any to dst-port 22
  4. We maintain production per-machine ipfw configurations in an archive, allowing us to reconstruct firewall servers in the event of catastrophic failure. Add the rule modifications to the archived configuration here. Follow advice in README_LOCAL.


  1. Display the kernel's currently-running, live ipfirewall ruleset (non-disruptive).
    % sudo ipfw list


  1. http://en.wikipedia.org/wiki/Ipfirewall