Firewall Layer 3 Filter
The system, by default uses IPFW, which is the IPFIREWALL (4) command interface, the most popular utility for implementing IP packet filtering and network traffic control on FreeBSD, and is the native FIREWALL tool with which FreeBSD works by default (even though the firewall is initially disabled at the kernel level).
The logic of how IPFW works its rules is similar to that adopted in many other Packet Filters, with the exception of IPFilter, which operates with a rules rule that is less efficient and requires much more care when it comes to adjust the firewall (if you are familiar with ipf (8), for example, notice the use of the 'quick' key, necessary for ipf (8) not to traverse the entire rule, every time it is read; other particular factors of IPFilter use). But that does not detract from the quality and implementation power of ipf (8) firewalls, which also has its own advantages. The final choice as to which Packet Filtering tool to use is a personal decision, unless you need a Firewall feature that the other does not have, but we will make a comparison between these two tools later.
As previously stated, ipfirewall (4) is a firewall by packet filtering, which means that it acts by monitoring packet-to-packet all connections, and from the FreeBSD 4.x series (FreeBSD 4.0), ipfirewall (4) can also manage a stateful filtering of more rudimentary connections, according to connection states. This behavior is always transparent to users, meaning no one will notice that a firewall exists until an expected event blocks it.
A firewall can be architected in several ways, but all ways can be simplified based on two filtering policies: open and closed. Firewall that follows an open policy allows all packets to be routed by default, and blocks those that belong to a type of connection that is not wanted, ie "opens all and blocks unwanted". On the other hand there are firewalls that follows a closed policy, doing the opposite, blocking all packet routing, and releasing one by one the traffic of allowed connections. This second implementation provides a much more rigid firewall, but its configuration is much more laborious because it can easily block the traffic of some service being used on the network. Some protocols establish dynamic connections, which are much more difficult to predict, but you have to be aware of this type of situation.