This isn't so much of a proper how-to, but mostly notes to self on how to quickly setup IPFW on FreeBSD 9.

To enable IPFW:

Open up /etc/rc.conf and add the following lines:

firewall_enable="YES" #Enables the firewall - the most important line :)
firewall_logging="YES" #optional - enables logging - logs will go by default to /var/log/security
firewall_type="open"

NOTE: Starting the firewall with the above, will effectively have a completely open firewall by default, which is a good thing in most cases since you won't be accidentally locked out. Once you've added the lines, reboot the system to enable it with:

reboot now

Once the system has rebooted, check the default firewall set:

ipfw list

The output will look something like this:

ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any

Won't go into details on the above, but here's how to set an example firewall that only allows SSH from only one IP address - in this case 192.168.2.8: 1. First flush the firewall - this means that it will DENY everything so only do this from a local console:

ipfw -f flush

You'll get this output:

Flushed all rules.

If you check with ipfw list now it will look like this:

65535 deny ip from any to any

2. Now add a rule to allow traffic from 192.168.2.8 to come in when the destination port is 22

ipfw add 100 allow log tcp from 192.168.2.8 to any dst-port 22

ipfw list will show you this:

00100 allow log tcp from 192.168.2.8 to any dst-port 22
65535 deny ip from any to any

3. Now add another rule to allow port 22 traffic to leave:

ipfw add 101 allow log tcp from any 22 to any

ipfw list will show you this:

00100 allow log tcp from 192.168.2.8 to any dst-port 22
00101 allow log tcp from any 22 to any
65535 deny ip from any to any

The best way to troubleshoot any issues is to take a look at the logs. By default everything will go into /var/log/security. If you want to change the logfile you need to do the following: Open up /etc/syslog.conf At the bottom add the lines:

!ipfw
*.* /var/log/ipfw.log

Touch (create) the logfile:

touch /var/log/ipfw.log

Restart the syslogd service:

service syslogd restart

Sources/References: