I Do Not Use the Default “Workstation” Profile
GhostBSD uses a default IPFW profile called "workstation", which applies a general-purpose ruleset suitable for basic desktop use. While functional, it is more permissive than I prefer. It allows broad outbound and some inbound traffic without fine-grained control.
To improve security and ensure predictable behavior, I’ve implemented my own custom ruleset and configured the system to use it instead of the default. This approach gives me full visibility into what’s allowed, blocks unnecessary traffic, and aligns better with my personal security standards.
This guide shows how to configure a safe, minimal IPFW firewall for GhostBSD, ideal for desktop use, web browsing, system updates, and secure file transfers.
1. Identify Your Network Interface
Run this to find your active interface (usually em0, re0, or wlan0):
ifconfigNote the interface name for use in your ruleset.
Example terminal output of “ifconfig”:
ifconfig
em0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST......On most GhostBSD systems using wired Ethernet, the interface is often called em0, re0, or ue0. For Wi-Fi, it might be wlan0.
2. Create Your Custom Ruleset
Create the rules file:
sudo nano /etc/ipfw.rulesNote: We’re using
192.168.1.45as an example. Replace it with the IP address of the other computer you want to access on your local network.
Paste the following:
#!/bin/sh
# Secure minimal ruleset for GhostBSD XFCE: browsing, SFTP + diagnostics
# Flush existing rules
ipfw -q -f flush
# Define interface
oif="em0" # Replace with your actual interface if different
# Allow all loopback traffic
ipfw add 00100 allow ip from any to any via lo0
# Block spoofed local addresses inbound on main interface
ipfw add 00200 deny ip from any to 127.0.0.0/8
ipfw add 00300 deny ip from 127.0.0.0/8 to any
# Block private IP ranges inbound on external interface EXCEPT trusted PC
ipfw add 00310 deny ip from 10.0.0.0/8 to any in via $oif
ipfw add 00320 deny ip from 172.16.0.0/12 to any in via $oif
ipfw add 00330 deny ip from 192.168.0.0/16 to any in via $oif not src-ip 192.168.1.45
ipfw add 00340 deny ip from 169.254.0.0/16 to any in via $oif
# Allow established TCP connections (return traffic)
ipfw add 00400 allow tcp from any to any established
# Allow outbound TCP for browsing, updates, SFTP
ipfw add 00500 allow tcp from me to any setup keep-state
# Allow outbound UDP for DNS and NTP
ipfw add 00600 allow udp from me to any 53 keep-state
ipfw add 00700 allow udp from me to any 123 keep-state
# Allow outbound SSH/SFTP to other PC on the network
ipfw add 00800 allow tcp from me to 192.168.1.45 22 keep-state
# Allow ICMP both ways for diagnostics (ping)
ipfw add 00900 allow icmp from me to any keep-state
ipfw add 00910 allow icmp from any to me
# Deny all other inbound TCP connection attempts
ipfw add 01000 deny tcp from any to any setup
# Log and deny everything else
ipfw add 01100 deny log ip from any to any
Make it executable:
sudo chmod +x /etc/ipfw.rules3. Enable Your Custom Firewall at Boot
Tell GhostBSD to use your script:
sudo sysrc firewall_enable="YES"
sudo sysrc firewall_type="none"
sudo sysrc firewall_script="/etc/ipfw.rules"Apply it now:
sudo service ipfw restart4. Test and Verify
Check active rules:
sudo ipfw listTest connectivity:
ping 8.8.8.8ping 192.168.1.xx
Summary
This setup gives you:
- A clean, minimal firewall
- Protection against spoofing and unwanted inbound traffic
- Full desktop functionality (web, updates, SFTP, ping)
- Easy customization and reproducibility