в /etc/rc.conf
прописываем
# SECURITY
tcp_extensions="NO"
tcp_drop_synfin="YES"
tcp_restrict_rst="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
static_routes="0 1 2 3 4 5 6"
route_0="-net 10.0.0.0/8 -iface lo0 -blackhole"
route_1="-net 172.16.0.0/12 -iface lo0 -blackhole"
route_2="-net 192.168.0.0/16 -iface lo0 -blackhole"
route_3="-net 169.254.0.0/16 -iface lo0 -blackhole"
route_4="-net 192.0.2.0/24 -iface lo0 -blackhole"
route_5="-net 224.0.0.0/4 -iface lo0 -blackhole"
route_6="-net 240.0.0.0/4 -iface lo0 -blackhole"
firewall_enable="YES"
#firewall_type="OPEN"
firewall_quiet="YES"
firewall_logging="YES"
firewall_script="/etc/ipfw.rules"
создаем ee /etc/ipfw.rules
пишем туда
#!/bin/sh
IPFW="/sbin/ipfw"
# внешний интерфейс сетевухи
extIF="bge0"
# Порты сервисов разрешенных для доступа
OpenPorts="20,21,22,80,9091"
# Порты сервисов всегда разрешенных
FreePorts="22,53,123"
#
####
# Очистить фаер
${IPFW} -f flush
# Разрешить лупбэк и статические правила
${IPFW} add check-state
${IPFW} add allow ip from any to any via lo0
# Запретить спуфинг по сетям
${IPFW} add deny ip from any to 127.0.0.0/8 in via ${extIF}
${IPFW} add deny ip from 127.0.0.0/8 to any out via ${extIF}
${IPFW} add deny ip from any to 10.0.0.0/8 in via ${extIF}
${IPFW} add deny ip from 10.0.0.0/8 to any out via ${extIF}
${IPFW} add deny ip from any to 172.16.0.0/12 in via ${extIF}
${IPFW} add deny ip from 172.16.0.0/12 to any out via ${extIF}
${IPFW} add deny ip from any to 192.168.0.0/16 in via ${extIF}
${IPFW} add deny ip from 192.168.0.0/16 to any out via ${extIF}
${IPFW} add deny ip from any to 0.0.0.0/8 in via ${extIF}
${IPFW} add deny ip from 0.0.0.0/8 to any out via ${extIF}
${IPFW} add deny ip from any to 169.254.0.0/16 in via ${extIF}
${IPFW} add deny ip from 169.254.0.0/16 to any out via ${extIF}
${IPFW} add deny ip from any to 224.0.0.0/4 in via ${extIF}
${IPFW} add deny ip from 224.0.0.0/4 to any out via ${extIF}
${IPFW} add deny ip from any to 240.0.0.0/4 in via ${extIF}
${IPFW} add deny ip from 240.0.0.0/4 to any out via ${extIF}
# Не логировать бродкасты
${IPFW} add deny log icmp from any to 255.255.255.255 in via ${extIF}
${IPFW} add deny log icmp from any to 255.255.255.255 out via ${extIF}
# Запретить опасные пакеты
${IPFW} add reject tcp from any to any tcpflags fin, syn, rst, psh, ack, urg
${IPFW} add reject tcp from any to any tcpflags !fin, !syn, !rst, !psh, !ack, !urg
${IPFW} add reject tcp from any to any not established tcpflags fin
${IPFW} add deny ip from any to any not verrevpath in
${IPFW} add deny icmp from any to any frag
${IPFW} add deny ip from "table(1)" to any
# Разрешить доступ с сервера на порты FreePorts
${IPFW} add allow ip from any ${FreePorts} to me via ${extIF}
${IPFW} add allow ip from me to any dst-port ${FreePorts} via ${extIF}
# Разрешить доступ на сервер на порты OpenPorts
${IPFW} add allow tcp from me ${OpenPorts} to any established out via ${extIF}
${IPFW} add allow tcp from any to me dst-port ${OpenPorts} setup in limit src-addr 8 via ${extIF}
# Разрешить от сервера клиентские порты и пинги
${IPFW} add allow ip from any to me dst-port 1024-65534 via ${extIF}
${IPFW} add allow ip from me 1024-65534 to any via ${extIF}
${IPFW} add allow icmp from any to any icmptypes 0,8,11 via ${extIF}
# Запретить все предпоследним правилом
${IPFW} add 65500 deny ip from any to any