It is considered a good practice to have a default blocking policy, but filtering is not necessarily needed for the front-facing interface, since the BSD gateway is not listening on any port what-so-ever. This example with four interfaces, filtering only what ever comes in and out (notice the pass out ... keep state line) from the DMZ/xennet2 across the internal network.
vi /etc/ipf.conf pass in all pass out all #loopback pass in quick on lo0 all pass out quick on lo0 all #icmp pass in quick proto icmp pass out quick proto icmp # xennet0 - internal SUBNET1 # xennet1 - public network # xennet2 - DMZ SUBNET2 # xennet3 - agents SUBNET3 block in on xennet2 from any to SUBNET1/24 # joomla talks to monit pass in on xennet2 proto tcp from any to HOSTIPX port = 8080 # joomla talks to mariadb pass in on xennet2 proto tcp from any to HOSTIPX port = 3306 # joomla needs dns pass in on xennet2 proto udp from any to HOSTIPX port = 53 pass in on xennet2 proto tcp from any to HOSTIPX port = 53 # we need to be able to maintain joomla on port 2222 pass out on xennet2 proto tcp from any to any port = 2222 keep state
vi /etc/rc.conf ipfilter=yes ipfilter_flags="" #ipmon=yes ipmon_flags="-Dns" #/etc/rc.d/ipmon start /etc/rc.d/ipfilter start