# Delete all rules (This makes this script re-runnable without
#                   getting double firewall rules)
/sbin/ipfwadm -F -f
/sbin/ipfwadm -I -f
# Set default to accept.
/sbin/ipfwadm -I -p accept
# Forward to and from your protected server
/sbin/ipfwadm -F -a accept -P all -S0.0.0.0/0 -Dyour_server/32 -b
# Dont forward all other destinations
/sbin/ipfwadm -F -a deny -P all -S0.0.0.0/0 -D0.0.0.0/0
# Drop obviously fake packets
/sbin/ipfwadm -I -a allow -P all -S127.0.0.0/24 -D127.0.0.0/24 -Wlo
/sbin/ipfwadm -I -a deny  -P all -S127.0.0.0/24 -D0.0.0.0/0 -o
/sbin/ipfwadm -I -a deny  -P all -S10.0.0.0/8 -D0.0.0.0/0 -o
# Drop your_server packets from the outside (assuming eth0 is your
# external interfdace)
/sbin/ipfwadm -I -a deny  -P all -Syour_server/32 -D0.0.0.0/0 -oi\
    -Weth0
# same for your firewall.
/sbin/ipfwadm -I -a deny -P all -Syour_firewall/32 -D0.0.0.0/0 -o\
    -Weth0
# Optional: deny firewall as destination.
/sbin/ipfwadm -I -a deny -P all -S0.0.0.0/0 -Dyour_firewall/32 -o
# Finally, protect sensitive ports of your_server
[ ... ]