Setting up IPfilter

vi /etc/rc.conf

ipfilter=yes             ipfilter_flags=""
#ipmon=yes                ipmon_flags="-Dns"

vi /etc/ipf.conf

It is considered a good practice to have a default blocking policy, but filtering is not necessarily needed for the front-facing interface, since the BSD gateway is not listening on any port what-so-ever. This example with four interfaces, filtering only what ever comes in and out (notice the pass out ... keep state line) from the DMZ/xennet2 across the internal network.

pass in all
pass out all

#loopback
pass in quick on lo0 all
pass out quick on lo0 all

#icmp
pass in quick proto icmp
pass out quick proto icmp

# xennet0 - internal 10.1.1
# xennet1 - public network
# xennet2 - DMZ 10.1.2
# xennet3 - agents 10.1.3

block in on xennet2 from any to 10.1.1.0/24

# joomla talks to monit
pass in on xennet2 proto tcp from any to 10.1.1.19 port = 8080

# joomla talks to mariadb
pass in on xennet2 proto tcp from any to 10.1.1.17 port = 3306

# joomla needs dns
pass in on xennet2 proto udp from any to 10.1.1.251 port = 53
pass in on xennet2 proto tcp from any to 10.1.1.251 port = 53

# we need to be able to maintain joomla on port 2222
pass out on xennet2 proto tcp from any to any port = 2222 keep state

Refs.