Re: Firewall rules in a directory

Reply: Dan Mahoney (Ports): "Re: Firewall rules in a directory"
In reply to: Dan Mahoney (Ports): "Re: Firewall rules in a directory"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Ian Smith <smithi_at_nimnet.asn.au>
Date: Wed, 31 Aug 2022 17:47:31 UTC

On 30 August 2022 2:40:34 pm AEST, "Dan Mahoney (Ports)" <freebsd@gushi.org> wrote:
 > Note, this wasn’t intended to be “here’s a diff, please put it in”,
 > just an illustration of how trivial an addition it is.
 > 
 > > On Aug 29, 2022, at 9:36 PM, Dan Mahoney (Ports)
 > <freebsd@gushi.org> wrote:
 > > 
 > > All,
 > > 
 > > At the dayjob, we’ve taken to putting our ipfw rules into a
 > directory using rcorder’able files.  This way, each of our puppet
 > manifests can drop its own rules into place without having to manage
 > a monolithic file.
 > > 
 > > It’s a simple patch to rc.firewall, where if you set firewall_type
 > to a file, it just runs it, but if it’s a directory, it would treat
 > it as such:
 > > 
 > > *)
 > >  if [ -r "${firewall_type}" ]; then
 > >    if [ -f "${firewall_type}" ]; then
 > >      ${fwcmd} ${firewall_flags} ${firewall_type}
 > >    else
 > >      if [ -d "${firewall_type}" ]; then
 > >        for fwfile in `rcorder $firewall_type/*`
 > >          do
 > >            ipfw -q $fwfile;
 > >        done
 > >      fi
 > >    fi
 > > 
 > > Is there a possibility of getting this into base?
 > > 
 > > -Dan

Getting code into rc.firewall has proven difficult over the years, for me impossible. It even took julian@ a couple of years to get a sensible use of tables into firewall_type 'simple' - but things may have changed.

I've tried rendering your code into the usual format below, saving a level of indenting with 'elif', and noting that '-q' and path is included in ${fwcmd} earlier in rc.firewall.

If it's really intended to launch multiple instances of ipfw, it may win more favour - as a bug / feature request as Kevin suggests - if you're sure how things like 'service ipfw status' or 'restart' handle them in /etc/rc.d/ipfw?

Good Luck, Ian

<code>
*)
	if [ -r "${firewall_type}" ]; then
		if [ -f "${firewall_type}" ]; then
			${fwcmd} ${firewall_flags} ${firewall_type}
		elif [ -d "${firewall_type}" ]; then
			for fwfile in `rcorder ${firewall_type}/*`
				do
					${fwcmd} ${firewall_flags} ${fwfile}
				done
		fi
	fi
	;;
</code>