Chaining addresses in FreeBSD ipfw


Between bhyvecon Tokyo talks last year I overheard some of the guard discussing how ipfw offered higher equivalent throughput than pf on FreeBSD. There may have been a caveat or part of the discussion I missed, but I took this as an excuse and opportunity to finally learn it.

Today I was trying to figure out how to only enable a port for a specific set of IP addresses. The easiest way is to specify two rules in your ipfw.rules:

ipfw -q add 00500 allow tcp from x.x.x.x to me 43210 in via $WAN
ipfw -q add 00501 allow tcp from x.x.x.y to me 43210 in via $WAN

But rules can also contain multiple addresses. From the manpage(8):

Additionally, sets of alternative match patterns (or-blocks) can be constructed by putting the patterns in lists enclosed between parentheses ( ) or braces { }, and using the or operator.

So the alternative for my above could be this:

TRUSTED="x.x.x.x or x.x.x.y"
ipfw -q add 00500 allow tcp from \{ $TRUSTED \} to me 43210 in via $WAN

Sure enough, when you ipfw list:

==> 00500 allow tcp from { x.x.x.x or x.x.x.y } to me 43210 in via $WAN

Aside from being easier to read and update, it also means you avoid needing to iterate a rule number in your scripts.

(Funny story, I blogged about OpenBSD’s ported pf on FreeBSD years ago, and the visceral comments from certain Linux folks were severe enough that I deleted it and self-censored BSD posts. Two months later, and I’d even turned off blog comments. I feel a mix of trepidation and cautious optimism posting about firewalls on the BSDs again).

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.