Firewall

By default, MidnightBSD has the IPFW enabled at startup. It is configured for desktop users and can optionally allow mDNSresponder traffic if it's enabled in /etc/rc.conf as well as sshd and DHCP. Most other things are blocked inbound.

There are other firewalls available such as PF in MidnightBSD. This is focused on our default firewall IPFW though.

Open Firewall / Custom Rules for IPFW If you'd rather create your own ruleset, do something like this in /etc/rc.conf

firewall_type="OPEN"

firewall_enable="YES"

firewall_logging="YES"

firewall_script="/etc/firewall.rules"

The /etc/firewall.rules script should be a shell script that loads your rules

For example:

#!/bin/sh

ipfw -f -q flush

ipfw add 100 pass all from any to any via lo0

ipfw add 200 deny all from any to 127.0.0.0/8

ipfw add 300 deny ip from 127.0.0.0/8 to any

ipfw add 400 deny ip from 224.0.0.0/3 to any in

ipfw add 500 deny tcp from any to 224.0.0.0/3 in

ipfw add 540 deny ip from 172.16.0.0/12 to any in

#ipfw add 550 deny all from 192.168.0.0/16 to any in

ipfw add 560 deny all from 172.16.0.0/12 to any in

ipfw add 561 deny ip from 222.248.233.220 to any in

ipfw add 600 allow tcp from any to any out

ipfw add 700 allow tcp from any to any established

ipfw add 800 allow tcp from any to any frag

ipfw add 900 check-state

#put your stuff here

ipfw add 10 pass ipv6-icmp from :: to ff02::/16

# RS, RA, NS, NA, redirect... ipfw add 20 pass ipv6-icmp from fe80::/10 to fe80::/10

ipfw add 30 pass ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreach ipfw add 40 pass ipv6-icmp from any to any icmp6types 1

# Allow NS/NA/toobig (don't filter it out) ipfw add 50 pass ipv6-icmp from any to any icmp6types 2,135,136

ipfw add 64000 pass ip6 from any to any

ipfw add 65000 deny log tcp from any to any

ipfw add 65100 deny icmp from any to me in icmptypes 5,8

ipfw add 65200 allow all from any to any