Here comes an ipfw-configuration on which I was working on. It should redirect some ports to the host system, others into jails and on top of that limit on which ports jails and host are allowed to communicate with outside. Additionally I have configured a one second delay for the initial SSH connection, which is supposed to render brute force attacks less attractive.
# /usr/local/etc/2015-10-01.ipfw
# ================================================================================
# clean up/ reset everything...
flush
queue flush
pipe flush
table all flush
resetlog
# ================================================================================
# table 1: dns
table 1 add 213.133.99.99
table 1 add 213.133.100.100
table 1 add 213.133.98.98
# table 2: jails
table 2 add 10.0.0.0/24
# nat
nat 1 config if vtnet0 redirect_port tcp 10.0.0.100:8080 172.31.1.100:80
# pipes (requires kldload dummynet)
pipe 1 config delay 1000
pipe 2 config delay 200
# ================================================================================
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any // ipv4 lo0 oubound
add 400 deny all from any to ::1 // ipv6 lo0 inbound
add 500 deny all from ::1 to any // ipv6 lo0 outbound
add 1000 set 0 allow icmp from any to me in via vtnet0 // icmp4 incoming
add 1100 set 1 allow ipv6-icmp from any to me6 in via vtnet0 // icmp6 incoming
add 1200 set 0 allow icmp from me to any out via vtnet0 // icmp4 outgoing
# ================================================================================
add 1400 allow udp from me to table(1) 53 out // allow dns
# slow down first ssh connection (setup) by using pipe 1...
add 1500 allow tcp from me 22 to any // ssh->any
add 1600 allow tcp from any to me 22 not setup // any->me(22), not setup
add 1700 pipe 1 tcp from any to me 22 setup // any->me(22), setup
# ================================================================================
add 2000 check-state
add 2100 allow ip from me to any setup keep-state out // outgoing connections
# ================================================================================
add 64000 nat 1 udp from any to any // udp->nat
add 64000 nat 1 tcp from any to me dst-port 80 in // tcp->nat
add 64000 nat 1 tcp from me to any out // nat->any
# ================================================================================
add 65000 deny log ip from any to any // deny everything else, but log it