# IPFW規則開始
# 清除先前的所有規則 , -q 表示不輸出訊息 -f 表示強制
ipfw -q -f flush

# 設定規則的縮寫 , 懶人用的.
cmd="ipfw -q add"
if="em0"           #連結internet的網路介面,可透過ifconfig指令查看.

#不限制 loopback 
$cmd 00010 allow all from any to any via lo0

#允許封包通過,如果先前已經match keep-state 動態規則.
$cmd 00015 check-state

# 允許存取DNS名稱伺服器 , 可以透過 /etc/resolv.conf 取得IP位址.
# 此例為 163.19.163.1 
$cmd 00110 allow tcp from any to 163.19.163.1 53 out via $if setup keep-state
$cmd 00111 allow udp from any to 163.19.163.1 53 out via $if keep-state

# 允許root 使用 FreeBSD相關功能(make install & CVSUP)
$cmd 00240 allow tcp from me to any out via $if setup keep-state uid root

# 允許對外 icmp 協定.
$cmd 00250 allow icmp from any to any out via $if keep-state

# 允許使用SSH(secure shell)相關功能
$cmd 00280 allow tcp from any to any 22 out via $if setup keep-state

# 拒絕不該出現在internet的IP位址連入機器
$cmd 00300 deny all from 192.168.0.0/16 to any in via $if
$cmd 00301 deny all from 172.16.0.0/12 to any in via $if
$cmd 00302 deny all from 10.0.0.0/8 to any in via $if
$cmd 00303 deny all from 127.0.0.0/8 to any in via $if        #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $if          #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $if     #DHCP自動設定
$cmd 00306 deny all from 192.0.2.0/24 to any in via $if       #保留給docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $if    #Sun叢集連結使用
$cmd 00308 deny all from 224.0.0.0/3 to any in via $if        #ClassD及E multicast

# 除某區段之外 拒絕外部使用icmp ping  (此例為163.19.163.0/24)
$cmd 00309 allow icmp from 163.19.163.0/24 to any in via $if
$cmd 00310 deny icmp from any to any in via $if

# 拒絕任何延遲抵達的封包(late arriving packets)
$cmd 00330 deny all from any to any frag in via $if

# 允許 ftp 服務 
$cmd 00400 allow tcp from any to me 21 in via $if setup limit src-addr 2

# 允許SSH相關 服務(若無 請移除) ,
$cmd 00410 allow tcp from any to me 22 in via $if setup limit src-addr 2

# 允許 telnet 連結 , 由於telnet是採用明碼傳送,建議不使用.
$cmd 00420 allow tcp from any to me 23 in via $if setup limit src-addr 2

# 若不希望啟動時候被踢出來,重新連結的話,可以加入類似行列.
# 允許相關ip連結某port, 此例為 23 port
$cmd 00430 allow tcp from 163.19.163.0/24 to me 23 via $if

# 允許標準的www功能 (若有架設apache伺服器) 
$cmd 00440 allow tcp from any to me 80 in via $if setup limit src-addr 2

# 其餘要開放的port 類推.

# 允許本機送出tcp封包.
$cmd 00500 allow tcp from any to any out via $if

# 預設拒絕且紀錄所有封包
$cmd 00999 deny log all from any to any
# IPFW規則結束