Re: Firewall rules in a directory
- Reply: Dan Mahoney (Ports): "Re: Firewall rules in a directory"
- In reply to: Dan Mahoney (Ports): "Re: Firewall rules in a directory"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 31 Aug 2022 17:47:31 UTC
On 30 August 2022 2:40:34 pm AEST, "Dan Mahoney (Ports)" <freebsd@gushi.org> wrote: > Note, this wasn’t intended to be “here’s a diff, please put it in”, > just an illustration of how trivial an addition it is. > > > On Aug 29, 2022, at 9:36 PM, Dan Mahoney (Ports) > <freebsd@gushi.org> wrote: > > > > All, > > > > At the dayjob, we’ve taken to putting our ipfw rules into a > directory using rcorder’able files. This way, each of our puppet > manifests can drop its own rules into place without having to manage > a monolithic file. > > > > It’s a simple patch to rc.firewall, where if you set firewall_type > to a file, it just runs it, but if it’s a directory, it would treat > it as such: > > > > *) > > if [ -r "${firewall_type}" ]; then > > if [ -f "${firewall_type}" ]; then > > ${fwcmd} ${firewall_flags} ${firewall_type} > > else > > if [ -d "${firewall_type}" ]; then > > for fwfile in `rcorder $firewall_type/*` > > do > > ipfw -q $fwfile; > > done > > fi > > fi > > > > Is there a possibility of getting this into base? > > > > -Dan Getting code into rc.firewall has proven difficult over the years, for me impossible. It even took julian@ a couple of years to get a sensible use of tables into firewall_type 'simple' - but things may have changed. I've tried rendering your code into the usual format below, saving a level of indenting with 'elif', and noting that '-q' and path is included in ${fwcmd} earlier in rc.firewall. If it's really intended to launch multiple instances of ipfw, it may win more favour - as a bug / feature request as Kevin suggests - if you're sure how things like 'service ipfw status' or 'restart' handle them in /etc/rc.d/ipfw? Good Luck, Ian <code> *) if [ -r "${firewall_type}" ]; then if [ -f "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} elif [ -d "${firewall_type}" ]; then for fwfile in `rcorder ${firewall_type}/*` do ${fwcmd} ${firewall_flags} ${fwfile} done fi fi ;; </code>