Chapter 30. Firewalls

Contributed by Joseph J. Barbish.
Converted to SGML and updated by Brad Davis.
Table of Contents
30.1. Introduction
30.2. Firewall Concepts
30.3. Firewall Packages
30.4. PF and ALTQ
30.5. The IPFILTER (IPF) Firewall
30.6. IPFW

30.1. Introduction

Firewalls make it possible to filter the incoming and outgoing traffic that flows through a system. A firewall can use one or more sets of rules to inspect network packets as they come in or go out of network connections and either allows the traffic through or blocks it. The rules of a firewall can inspect one or more characteristics of the packets such as the protocol type, source or destination host address, and source or destination port.

Firewalls can enhance the security of a host or a network. They can be used to do one or more of the following:

  • Protect and insulate the applications, services, and machines of an internal network from unwanted traffic from the public Internet.

  • Limit or disable access from hosts of the internal network to services of the public Internet.

  • Support network address translation (NAT), which allows an internal network to use private IP addresses and share a single connection to the public Internet using either a single IP address or a shared pool of automatically assigned public addresses.

After reading this chapter, you will know:

  • How to define packet filtering rules.

  • The differences between the firewalls built into FreeBSD.

  • How to use and configure the PF firewall.

  • How to use and configure the IPFILTER firewall.

  • How to use and configure the IPFW firewall.

Before reading this chapter, you should:

  • Understand basic FreeBSD and Internet concepts.

All FreeBSD documents are available for download at

Questions that are not answered by the documentation may be sent to <>.

Send questions about this document to <>.