Example IPFilter firewallExample IPFilter firewall
Here is an example IPFilter firewall for an FTP server (allowing passive and 
active incoming FTP transfers). The firewall also allows incoming ssh 
connections from one IP address (192.168.1.100 in this example), as well as 
active FTP sessions initiated from the firewall. 
# Allow all loopback (local) traffic
pass in quick on lo0
pass out quick on lo0
# Cleanup rule; log all incoming traffic not allowed by one of the rules
block in log all
# Cleanup rule for outbound connections; should not be matched because of 
stateful inspection
block out all
# Let in FTP (21, control) from anywhere for active FTP
pass in quick proto tcp from any to any port = 21 flags S keep state
# Allow passive FTP transfers from ports 49152 to 65534, the IANA-registered 
ephemeral port range.
pass in quick proto tcp from any to any port 49151 >< 65535 flags S keep state
# Allow active FTP data connections back to my box
pass in quick proto tcp from any port = 20 to any port 8192 <> 16384 flags S 
keep state
pass in quick proto tcp from any port = 20 to any port 32768 <> 40000 flags S 
keep state
# Allow SSH traffic from LAN
pass in quick proto tcp from 192.168.1.100/32 to any port = 22 flags S keep 
state
# Stateful outbound rules
pass out quick proto icmp from any to any keep state
pass out quick proto tcp/udp from any to any keep state keep frags
Last modified: 01/15/2003