freebsd · thegushi · Aug 28, 2025 · Sep 11, 2025 · Sep 29, 2025 · markjdb
diff --git a/libexec/rc/rc.firewall b/libexec/rc/rc.firewall
@@ -547,7 +547,16 @@ case ${firewall_type} in
 	;;
 *)
 	if [ -r "${firewall_type}" ]; then
-		${fwcmd} ${firewall_flags} ${firewall_type}
+		if [ -f "${firewall_type}" ]; then
+			${fwcmd} ${firewall_flags} ${firewall_type}
+		else
+		if [ -d "${firewall_type}" ]; then
+			for fwfile in `rcorder $firewall_type/*`
+			do
+				ipfw -q $fwfile;
+			done
+			fi
+		fi
 	fi
 	;;
 esac
diff --git a/share/examples/ipfw.d/final b/share/examples/ipfw.d/final
@@ -0,0 +1,13 @@
+#
+# PROVIDE: final
+# REQUIRE: setup services outbound routing
+#
+
+#
+add allow tcp from me to any out setup // default outbound 
+
+# silently ignore local multicast
+add deny ip from any to 224.0.0.0/4 // drop multicast
+
+# drop and log everything else
+add reset log ip from any to any
diff --git a/share/examples/ipfw.d/ntp_client b/share/examples/ipfw.d/ntp_client
@@ -0,0 +1,11 @@
+# REQUIRE: outbound
+# PROVIDE: ntp_client ntp_servers
+# BEFORE: final
+
+table ntp_servers create
+
+# Uncomment and your NTP servers (if they are on known ips in your network) to the following table:
+
+# table ntp_servers add x.x.x.x
+
+add allow ip from me to table(ntp_servers) 123 keep-state // NTP outbound
diff --git a/share/examples/ipfw.d/outbound b/share/examples/ipfw.d/outbound
@@ -0,0 +1,6 @@
+#
+# REQUIRE: services
+# PROVIDE: outbound
+# BEFORE: final
+#
+# meta class - adds no rules
diff --git a/share/examples/ipfw.d/routing b/share/examples/ipfw.d/routing
@@ -0,0 +1,6 @@
+#
+# REQUIRE: setup
+# PROVIDE: routing
+# BEFORE: services
+#
+# meta class - adds no rules
diff --git a/share/examples/ipfw.d/services b/share/examples/ipfw.d/services
@@ -0,0 +1,5 @@
+# REQUIRE: setup routing
+# PROVIDE: services
+# BEFORE: outbound
+#
+# meta class - adds no rules
diff --git a/share/examples/ipfw.d/setup b/share/examples/ipfw.d/setup
@@ -0,0 +1,47 @@
+#
+# PROVIDE: setup blocked bogons
+# BEFORE: services routing outbound final
+#
+
+# remove all existing tables
+table all destroy
+table blocked create
+
+# standard (non-service specific) tables
+table bogons create
+table bogons add 0.0.0.0/8
+table bogons add 10.0.0.0/8
+table bogons add 172.12.0.0/12
+table bogons add 192.168.0.0/16
+table bogons add 169.254.0.0/16
+table bogons add 240.0.0.0/4
+
+# permit existing TCP sessions
+add allow tcp from any to any established
+
+# permit internal loopback traffic
+add allow ip from any to any via lo0
+add allow ip from any to any via lo1
+
+# deny directed loopback traffic
+add deny ip from any to 127.0.0.0/8 in
+add deny ip from any to ::/64 in
+
+# deny unexpected sources
+add deny ip from table(bogons) to me in // unexpected sources
+
+# deny explicitly disabled (non-persistent) sources
+add deny ip from table(blocked) to me in // emergency (non-persistent) blocklist
+
+# allow bsd-standard-port traceroutes
+add allow udp from me to any 33434-33600 // traceroute in
+add allow udp from any to me 33434-33600 // traceroute out
+
+# moderately permissive ICMPv4
+add allow icmp from any to any icmptypes 0,3,8,11,13,14 // safe ICMPv4
+
+# link-local ICMPv6 (RS, RA, NS, NA) - per FreeBSD standard rules
+add allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD
+add allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP
+add allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP
+add allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,135,136 // safe ICMPv6
diff --git a/share/examples/ipfw.d/ssh_service b/share/examples/ipfw.d/ssh_service
@@ -0,0 +1,7 @@
+# REQUIRE: services
+# PROVIDE: ssh_service ssh_clients
+# BEFORE: outbound
+
+table ssh_clients create
+
+add allow tcp from table(ssh_clients) to me 22 in setup	        // inbound SSH