IPFW script that supports some kind of rc.d directory?

[Dan Mahoney, System Admin]

On Sat, 7 Feb 2015, Arthur Chance wrote:

> On 07/02/2015 10:02, Dan Mahoney, System Admin wrote:
>> Hey all,
>> 
>> This seems like the kind of thing that people have needed often enough
>> -- for example when you want to have specific ipfw rules for specific
>> installed services, and your ipfw config to be multiple files loaded in
>> some kind of order, but my google-fu is failing me.
>> 
>> Failing that, I know FreeBSD has some rcorder, which might be usable for
>> this, but I don't know if it's extensible to a whole separate class of
>> things (or if trying to do that is overkill).
>> 
>> Is this a problem someone else has had/solved before?
>> 
>
> I've no idea if someone has already done this, but the final form of ipfw in 
> the manual is
>
> ipfw [-cfnNqS] [-p preproc [preproc-flags]] pathname
>
> Using cpp as the preprocessor (or maybe m4 if you're a quote loving masochist 
> :-) would let you use #include or the equivalent. That's not quite up what 
> you're asking, but a start. m4 with syscmd and (s)include would go further.

Assuming I numbered the rules files like old sys-v rcfiles, It could be 
as simple as:

for i in `ls /etc/rc.ipfw.d | sort` do
cat $i >> $file
done
ipfw $file

Or even:

for i in `ls /etc/rc.ipfw.d | sort` do
ipfw $file
done

But I can't imagine with the prevalance of puppet, cfengine and ansible 
and other things these days, someone hasn't come up with something 
prettier, something that doesn't let rule 19 out of 20 crash the whole 
thing, and perhaps something that lets you compare the built rules with 
the running ruleset.

I'd love to see base gain such a thing, such that if you set 
$firewall_type=a directory, rather than a file, this just happened.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------