diff --git a/freebsd/install.sh b/freebsd/install.sh
index ae5b4112..8c29552c 100755
--- a/freebsd/install.sh
+++ b/freebsd/install.sh
@@ -28,9 +28,13 @@ if [ .$portsnap_enabled = .'true' ]; then
 fi
 
 #PF - Packet Filter
-if [ .$firewall_enabled = .'true' ]; then
+if [ .$firewall_enabled = .'pf' ]; then
 	resources/pf.sh
 fi
+#IPFW - Kernel Firewall
+if [ .$firewall_enabled = .'ipfw' ]; then
+	resources/ipfw.sh
+fi
 
 #sngrep
 if [ .$sngrep_enabled = .'true' ]; then
diff --git a/freebsd/resources/config.sh b/freebsd/resources/config.sh
index 0102153e..f174b0c1 100755
--- a/freebsd/resources/config.sh
+++ b/freebsd/resources/config.sh
@@ -3,7 +3,7 @@
 domain_name=hostname            # hostname, ip_address or a custom value
 system_username=admin           # default username admin
 system_password=random          # random or as a pre-set value
-system_branch=5.3               # master, 5.3
+system_branch=5.4               # master, 5.3
 
 # FreeSWITCH Settings
 switch_enabled=true             # true or false
@@ -16,13 +16,13 @@ database_name=fusionpbx         # Database name (safe characters A-Z, a-z, 0-9)
 database_username=fusionpbx     # Database username (safe characters A-Z, a-z, 0-9)
 database_password=random        # random or a custom value (safe characters A-Z, a-z, 0-9)
 database_enabled=true           # true or false
-database_version=15             # Postgres 16, 15, 14, 13, 12
+database_version=17             # Postgres 16, 15, 14, 13, 12
 database_host=127.0.0.1         # hostname or IP address
 database_port=5432              # port number
 database_backup=false           # true or false
 
 # Firewall Settings
-firewall_enabled=true           # true or false
+firewall_enabled=ipfw           # ipfw, pf, or false
 
 # General Settings
 interface_name=auto             # auto, em0, igb0, vtnet0, or other valid names
diff --git a/freebsd/resources/fail2ban.sh b/freebsd/resources/fail2ban.sh
index 9a7dbf74..453dd431 100755
--- a/freebsd/resources/fail2ban.sh
+++ b/freebsd/resources/fail2ban.sh
@@ -11,7 +11,7 @@ cd "$(dirname "$0")"
 verbose "Installing Fail2ban"
 
 #add the dependencies
-pkg install --yes py39-fail2ban
+pkg install --yes py311-fail2ban
 
 #enable fail2ban service
 echo 'fail2ban_enable="YES"' >> /etc/rc.conf
@@ -24,7 +24,7 @@ cp fail2ban/freeswitch.conf /usr/local/etc/fail2ban/filter.d/freeswitch.conf
 cp fail2ban/fusionpbx.conf /usr/local/etc/fail2ban/filter.d/fusionpbx.conf
 cp fail2ban/nginx-404.conf /usr/local/etc/fail2ban/filter.d/nginx-404.conf
 cp fail2ban/nginx-dos.conf /usr/local/etc/fail2ban/filter.d/nginx-dos.conf
-cp fail2ban/jail.local /usr/local/etc/fail2ban/jail.local
+cp fail2ban/jail.local.$firewall_enabled /usr/local/etc/fail2ban/jail.local
 cp fail2ban/sip-auth-challenge-ip.conf /usr/local/etc/fail2ban/filter.d/sip-auth-challenge-ip.conf
 cp fail2ban/sip-auth-challenge.conf /usr/local/etc/fail2ban/filter.d/sip-auth-challenge.conf
 
diff --git a/freebsd/resources/fail2ban/jail.local.ipfw b/freebsd/resources/fail2ban/jail.local.ipfw
new file mode 100755
index 00000000..733c093d
--- /dev/null
+++ b/freebsd/resources/fail2ban/jail.local.ipfw
@@ -0,0 +1,97 @@
+[freeswitch]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = freeswitch
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+maxretry = 5
+findtime = 600
+action = bsd-ipfw[table=1]
+bantime  = 3600
+#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
+
+[freeswitch-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+maxretry = 1
+findtime = 30
+action = bsd-ipfw[table=1]
+bantime  = 86400
+
+[sip-auth-challenge-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-challenge-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+maxretry = 1
+findtime = 30
+action = bsd-ipfw[table=1]
+bantime  = 86400
+
+[sip-auth-challenge]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-challenge
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+maxretry = 50
+findtime = 30
+action = bsd-ipfw[table=1]
+bantime  = 7200
+
+[freeswitch-404]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-404
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+maxretry = 3
+findtime = 300
+action = bsd-ipfw[table=1]
+bantime  = 86400
+
+[fusionpbx]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx
+logpath  = /var/log/auth.log
+#          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 10
+findtime = 600
+action = bsd-ipfw[table=1]
+bantime  = 3600
+
+[nginx-404]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-404
+logpath  = /var/log/nginx/access*.log
+findtime = 60
+maxretry = 120
+action = bsd-ipfw[table=1]
+bantime  = 3600
+
+[nginx-dos]
+# Based on apache-badbots but a simple IP check (any IP requesting more than
+# 300 pages in 60 seconds, or 5p/s average, is suspicious)
+# Block for two full days.
+enabled  = false
+port     = 80,443
+protocol = tcp
+filter   = nginx-dos
+logpath  = /var/log/nginx/access*.log
+findtime = 60
+maxretry = 300
+action = bsd-ipfw[table=1]
+bantime  = 86400
diff --git a/freebsd/resources/fail2ban/jail.local b/freebsd/resources/fail2ban/jail.local.pf
similarity index 100%
rename from freebsd/resources/fail2ban/jail.local
rename to freebsd/resources/fail2ban/jail.local.pf
diff --git a/freebsd/resources/finish.sh b/freebsd/resources/finish.sh
index 01aaaf59..0c1a2311 100755
--- a/freebsd/resources/finish.sh
+++ b/freebsd/resources/finish.sh
@@ -68,7 +68,7 @@ if [ .$nginx_enabled = .'true' ]; then
 
     #update application defaults
 	if [ .$nginx_enabled = .'true' ]; then
-		cd /usr/local/www/fusionpbx && /usr/bin/php /var/www/fusionpbx/core/upgrade/upgrade.php --defaults
+		cd /usr/local/www/fusionpbx && /usr/local/bin/php /usr/local/www/fusionpbx/core/upgrade/upgrade.php --defaults
 	fi
 
 	#add the user
@@ -97,11 +97,11 @@ if [ .$nginx_enabled = .'true' ]; then
 
     #update application defaults
 	if [ .$nginx_enabled = .'true' ]; then
-		cd /usr/local/www/fusionpbx && /usr/bin/php /var/www/fusionpbx/core/upgrade/upgrade.php --defaults
+		cd /usr/local/www/fusionpbx && /usr/local/bin/php /usr/local/www/fusionpbx/core/upgrade/upgrade.php --defaults
 	fi
 
 	#update permissions
-	#cd /var/www/fusionpbx && /usr/bin/php /var/www/fusionpbx/core/upgrade/upgrade.php --permissions
+	#cd /usr/local/www/fusionpbx && /usr/local/bin/php /usr/local/www/fusionpbx/core/upgrade/upgrade.php --permissions
 
 	#reset the current working directory
 	cd $cwd
diff --git a/freebsd/resources/ipfw.sh b/freebsd/resources/ipfw.sh
new file mode 100755
index 00000000..4c4f1deb
--- /dev/null
+++ b/freebsd/resources/ipfw.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+#move to script directory so all relative paths work
+cd "$(dirname "$0")"
+
+. ./config.sh
+. ./colors.sh
+   
+#send a message
+verbose "Configuring IPFW"
+
+#enable the service
+echo 'firewall_enable="YES"' >> /etc/rc.conf
+echo 'firewall_script="/etc/ipfw.rules"' >> /etc/rc.conf
+echo 'firewall_logging="YES"' >> /etc/rc.conf
+
+echo 'net.inet.ip.fw.one_pass=0' >> /etc/sysctl.conf
+
+#copy the pf config file
+cp ipfw/ipfw.rules /etc/ipfw.rules
+
+service ipfw start
diff --git a/freebsd/resources/ipfw/ipfw.rules b/freebsd/resources/ipfw/ipfw.rules
new file mode 100755
index 00000000..9494305a
--- /dev/null
+++ b/freebsd/resources/ipfw/ipfw.rules
@@ -0,0 +1,29 @@
+ipfw -f flush
+
+# reassemble traffice
+ipfw add 001 reass all from any to any
+
+# allow traffic on loopback
+ipfw add 010 allow ip from any to any via lo0
+
+# fail2ban
+ipfw add 020 deny ip from table\(1\) to any
+
+ipfw add 100 check-state
+
+# allow outbound
+ipfw add 110 allow ip from me to any keep-state
+
+# allow icmp
+ipfw add 120 allow icmp from any to any keep-state
+ipfw add 121 allow ipv6-icmp from any to any keep-state
+
+# allow ports
+ipfw add 150 allow tcp from any to me 80 keep-state
+ipfw add 151 allow tcp from any to me 443 keep-state
+ipfw add 152 allow tcp from any to me 7443 keep-state
+ipfw add 153 allow tcp from any to me 5060-5091 keep-state
+ipfw add 154 allow udp from any to me 5060-5091 keep-state
+ipfw add 154 allow udp from any to me 16384-32768 keep-state
+
+ipfw add 500 deny all from any to any
diff --git a/freebsd/resources/postgresql.sh b/freebsd/resources/postgresql.sh
index 34a5cb7f..db6424ab 100755
--- a/freebsd/resources/postgresql.sh
+++ b/freebsd/resources/postgresql.sh
@@ -24,6 +24,10 @@ password=$(cat /dev/random | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 20)
 echo "Install PostgreSQL and create the database and users\n"
 
 #postgres install
+if [ ."$database_version" = ."17" ]; then
+	pkg install --yes postgresql17-server
+	#cd /usr/ports/databases/postgresql17-server/ && make install clean BATCH=yes
+fi
 if [ ."$database_version" = ."16" ]; then
 	echo "IGNORE_DEPENDS=postgresql15-client" >> /usr/local/etc/pkg.conf
 	pkg install --yes postgresql16-server
@@ -53,6 +57,9 @@ echo 'postgresql_enable=true' >> /etc/rc.conf
 /usr/local/etc/rc.d/postgresql initdb
 
 #start postgresql
+if [ ."$database_version" = ."17" ]; then
+	sudo -u postgres /usr/local/bin/pg_ctl -D /var/db/postgres/data17 start
+fi
 if [ ."$database_version" = ."16" ]; then
 	sudo -u postgres /usr/local/bin/pg_ctl -D /var/db/postgres/data16 start
 fi