IPFW Open status firewall

Hi, please how can i set firewall status to "open"? I tried firewall_type="open" but i still have default rule: deny ip from any to any like firewall_type="close". Please, can you help me?
I am sorry for needing to ask for something obvious, however, the most probable cause for your experience is, that the directive firewall_type="open" wasn't yet executed by the init system. So, did you restart either your machine or the ipfw(8) system after you placed said directive into /etc/rc.conf? See what happens when you issue the following command as user root:
service ipfw restart.
  • Place the following content into a script file /usr/local/etc/ipfw-open.conf
    /sbin/ipfw -q flush
    /sbin/ipfw -q add 65534 allow ip from any to any
  • Make the file executable with the command: chmod +x /usr/local/etc/ipfw-open.conf
  • Execute the created ipfw script: /usr/local/etc/ipfw-open.conf
  • Verify that the rule has been applied: ipfw show
    65534 474 79469 allow ip from any to any
    65535   3   192 deny ip from any to any
You should see the allow rule 65534 comming before the deny rule. Note that the rule 65535 cannot be changed from user space. Anyway, with the open-all rule 65534 in place the default deny rule will never be touched anymore.

If this works as expected, then replace in /etc/rc.conf your directive firewall_type="open" with firewall_script="/usr/local/etc/ipfw-open.conf"

If you really want to have the default rule completely disappear, then you need to compile a custom kernel with the following kernel options:

Instead of compiling a custom kernel, you can place the DEFAULT_TO_ACCEPT setting as a sysctl into /boot/loader.conf. I just verified this is working with the following additions to /boot/loader.conf:
Note, that the given sysctl must be changed in the loader stage since it is read-only from user space.
Thanks! Its working, but i have problem. Firewall blocking my ip and i dont know why.
ipfw -q -f flush
ipfw -q add 00001 allow all from to any via vtnet0
And my ip is . I tried " allow all from any to any via vtnet0" and then its working (fw pass all traffic).
I tried use my hostname too but i got "unknown hostname".
Sorry for my questions but iam only begginer.
Didn't you say that you achieved to have the final firewall rule to be open?

Note, IP traffic is usually bi-directional, and the firewall must allow the packets of both endpoints of a connection. Your rule #00001 does allow outgoing traffic from to any but any incoming traffic is generally forbidden by rule #65535.

Your choices are either of:
  1. convert the default rule #65535 to an open one as explained in my message #5

  2. add a general allow rule in front of the default rule
    /sbin/ipfw -q add 65534 allow ip from any to any

  3. convert your single allow rule into an in/out rule pair:
    /sbin/ipfw -q add 1 allow ip from to any out xmit vtnet0
    /sbin/ipfw -q add 2 allow ip from any to in recv vtnet0

  4. make your firewall a stateful one:
    /sbin/ipfw -q add 1 check-state
    /sbin/ipfw -q add 2 allow tcp from to any out xmit vtnet0 setup keepstate
    /sbin/ipfw -q add 3 allow udp from to any out xmit vtnet0 keepstate
Thanks! I used option 3, so its working. Here is my ipfw.rules:
ipfw -q -f flush
ipfw -q add 00001 allow ip from any to out xmit vtnet0
ipfw -q add 00002 allow ip from to any in recv vtnet0
and sorry for my bad english :D
I have one more question, please how to allow loopback?
i tried:
ipfw -q add 00015 allow all from to me out xmit vtnet0
ipfw -q add 00016 allow all from me to in recv vtnet0
but it dont work.
ipfw(8) evaluates the rules in sequential order, i.e. rules with lower numbers come first. It stops evaluation once a rule matches. Therefore, you want to put rules which would be hit by the biggest traffic (usually everything local) first in your ruleset. My rulesets always start with:
ipfw -q -f flush

/sbin/ipfw -q add 10 allow ip from any to any via $lanif
/sbin/ipfw -q add 20 allow ip from any to any via lo0
If your machine does not have a dedicated LAN interface, then forget rule #10. lo0 is the loopback interface identifier, and therefore rule #20 allows all the traffic going over it. Your other rules should come afterwards, and you want to change the rule numbers #1 and #2 to let's say #30 and #31.