rc.conf

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

/etc/ipfw.rules

#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
wan="re0"
lan="re1"

# Change xl0 to LAN NIC interface name
ipfw -q add 00005 allow all from any to any via $lan
ipfw -q add 00005 allow all from any to any via $wan

# No restrictions on Loopback Interface
ipfw -q add 00010 allow all from any to any via lo0

ipfw -q add 00101 check-state
ipfw -q add 00102 allow tcp  from any to any established
ipfw -q add 00102 allow tcp  from any to any established
ipfw -q add 00103 allow icmp from any to any

with nat

#!/bin/sh
wan="re0"
lan="re1"
ipfw -q -f flush

ipfw -q add 005 allow all from any to any via $lan  # exclude LAN traffic
ipfw -q add 010 allow all from any to any via lo0  # exclude loopback traffic
ipfw -q add 100 divert natd ip from any to any in via $wan # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
ipfw -q add 101 check-state

# Authorized outbound packets
ipfw -q add 120 skipto 500 udp from any to any 53 out via $wan keep-state
ipfw -q add 121 skipto 500 udp from any to any 67 out via $wan keep-state
ipfw -q add 125 skipto 500 tcp from any to any 22,25,53,80,443,110  out via $wan setup keep-state
ipfw -q add 130 skipto 500 icmp from any to any out via $wan keep-state

ipfw -q add 499 deny log all from any to any
ipfw -q add 500 divert natd ip from any to any out via $wan # skipto location for outbound stateful rules
ipfw -q add 510 allow ip from any to any

links
*https://www.cyberciti.biz/faq/howto-setup-freebsd-ipfw-firewall/
*https://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/firewalls-ipfw.html
*https://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/firewalls.html