There are multiple firewall solutions available on FreeBSD, but I only ever used pf. If you are a ipfw or ipfilter user I am sorry but I trust you will know how to translate the firewalling rules.
nat pass on egress from <jails> to <internet> -> (egress:0)
rdr-anchor "rdr/*"
set skip on lo
block return log
##### This firewall #####
block drop in on egress
pass inet proto icmp all icmp-type unreach code needfrag # MTU path discovery
pass inet proto icmp all icmp-type { echoreq, unreach } # echo reply
pass inet6 proto icmp6 all
pass in on egress proto tcp from <internet> to <myself> port { ssh, http, https, smtp, smtps, submission }
pass out from <myself> to any
```
A pre-requisite of this configuration is to have set an `egress` group for your egress interface(s) like so in your `/etc/rc.conf`:
```cfg
ifconfig_vtnet0="DHCP group egress"
```
## Client only
With our template, you can already use your wireguard vpn as a client without any changes because of the `pass out from <myself> to any` rule. It cover all outgoing traffic for us:
- egress udp to port 342 (the port we used as example in our previous articles) to establish the tunnel with our peers
- egress from interface wg0 to send packets into the tunnel.
- conveniently, it covers both ipv4 and ipv6
## Reachable client
To make your client reachable over wireguard, add the following:
```
pass in on wg0 from <private> to <myself>
```
## Server
A server's configuration just need to accept wireguard connections in addition of the previous rule:
```cfg
pass in on egress proto udp from <internet> to <myself> port 342
pass in on wg0 from <private> to <myself>
```
## Hub
As seen in a previous routing article, a hub is a server that can route traffic to another one over wireguard:
```cfg
pass in on egress proto udp from <internet> to <myself> port 342