I guess I'm not the only one considering OpenBSD's 'pf' the most powerful firewall available.
As the commercials say: "Now on FreeBSD!" :-)
And it is really easy to activate 'pf'.
Starting from FreeBSD 5.3, 'pf' is incorporated into the base system, so creating the two configure files below are the only requirements.
Then just killall init (or reboot, as you wish), which loads the 'pf' module if not compiled into kernel already.
Refer to the links at the bottom of this page how to activate 'pf' on previous versions of FreeBSD.
When activated, read to 'man pf' and 'man pfctl' to learn how to manage 'pf'.
In /etc/rc.conf:
pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
gateway_enable="YES" # Enable as LAN gateway
In /etc/pf.conf:
NOTE!: Simple NAT rules for LAN only! Open firewall! Not tested! No warranties!:
# macros
int_if = "dc0"
ext_if = "fxp0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
comp3 = "192.168.0.3"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Modifed 2005-03-12:
# 'rdr' rule disabled, which makes this config file work!
###rdr on $int_if from $int_if:network to any -> ($ext_if)
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if proto tcp from any to $comp3 port 80 \
flags S/SA synproxy state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state