The default firewall configuration (no permissions) means all traffic will pass through the firewall untouched. Some basic terminology: inside = the network segment which the firewall is guarding. outside = the threat from which "the inside" is being guarded. incoming = traffic arriving at the firewall from "the outside" outbound = traffic arriving at the firewall from "the inside" There are 6 types of permissions: 3 types for filtering incoming traffic, 2 types for filtering outbound traffic, and 1 type which controls traffic regardless of its direction. Each permission becomes a macro which, when expanded, creates a set of FreeBSD IPFW (IP FireWall) rules. The permission types are, in order of priority ... for generic traffic control: shun - causes all matching packets to be dropped without any regard for whether packets are incoming or outbound. for incoming traffic control: reject - causes all matching incoming packets to be dropped. allow - causes all matching incoming packets to be forwarded. block - similar to 'reject' but causes the resulting IPFW rules to be processed AFTER any IPFW rules which may have resulted from any 'allow' entries. for outbound traffic control: send - causes all matching outbound packets to be forwarded. contain - causes all matching outbound packets to be dropped. Note that since all traffic is untouched by default, then "allow" permissions are only necessary for exempting packets from related "block" permissions. The same applies with "send" permissions in relation to "contain" permissions. Permission processing order is important because if a packet matches a permission, then the processing of that packet is complete and that packet is either dropped or forwarded (depending on the permission). When entering multiple permissions of the same type, processing order can be chosen by assigning position numbers to the new permissions. The following example permissions could be used to permit access only to traffic from the 128.100.200.0 subnet and even then to refuse access to any HTTP traffic (tcp port 80) from that subnet. example 1: specific ... reject 128.100.200.0/24 tcp 80 # drop HTTP from .200 allow 128.100.200.0/24 # forward all else from .200 block all # and drop everything else. example 2: general ... reject all tcp 80 # drop HTTP from everywhere allow 128.100.200.0/24 # forward all else from .200 block all # and drop everything else. There are 4 other permission types: quota, tap (or sniff), record, trip These permissions won't block traffic in either direction but they do provide additional features. - "Quota" can be used for traffic shaping in that it allows control of the amount of bandwidth available to the specified traffic. A quota can be used to either limit available bandwidth or it can be used to reserve bandwidth (in other words, limit everything else). Quotas are defined as a percentage of the bandwidth of the slowest NIC. - "Tap" can be used to capture packets (as in "to tap a phone line"). Captured packets can be relayed to a remote system, or saved to disk and analyzed at a later time. "Sniff" is the same as "tap" except that captured packets are displayed immediately without being saved or forwarded. - "Record" can be used to log and 'remember' outbound traffic. "Record" permissions are useful for logging outbound udp streams (instead of having to log each udp packet involved in such streams). - A "trip" permission is used for raising an alarm. An alarm is tripped if a packet matches a "trip" permission. A tripped alarm results in an email message to a configured recipient. Alarms can be tripped repeatedly or they can be configured to trip just once. Every tcp connection or udp packet or udp stream, either incoming or outbound, causes a log entry to be made. The log file is rolled and compressed daily. A digest of the day's traffic can be automatically emailed to addresses configured by the firewall administrator.