Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Sep 2022 03:47:31 +1000
From:      Ian Smith <smithi@nimnet.asn.au>
To:        questions@freebsd.org,"Dan Mahoney (Ports)" <freebsd@gushi.org>
Cc:        kpn@neutralgood.org
Subject:   Re: Firewall rules in a directory
Message-ID:  <DED6C218-0517-4A0D-8C7A-1FDBFFC84A3D@nimnet.asn.au>
In-Reply-To: <D666503D-E5E2-4B6D-A960-A362EEFE6F95@gushi.org>
References:  <3FAB82EC-2C82-4201-AA47-B1AA92B89677@gushi.org> <D666503D-E5E2-4B6D-A960-A362EEFE6F95@gushi.org>
index | next in thread | previous in thread | raw e-mail 

On 30 August 2022 2:40:34 pm AEST, "Dan Mahoney (Ports)" <freebsd@gushi.org> wrote:
 > Note, this wasn’t intended to be “here’s a diff, please put it in”,
 > just an illustration of how trivial an addition it is.
 > 
 > > On Aug 29, 2022, at 9:36 PM, Dan Mahoney (Ports)
 > <freebsd@gushi.org> wrote:
 > > 
 > > All,
 > > 
 > > At the dayjob, we’ve taken to putting our ipfw rules into a
 > directory using rcorder’able files.  This way, each of our puppet
 > manifests can drop its own rules into place without having to manage
 > a monolithic file.
 > > 
 > > It’s a simple patch to rc.firewall, where if you set firewall_type
 > to a file, it just runs it, but if it’s a directory, it would treat
 > it as such:
 > > 
 > > *)
 > >  if [ -r "${firewall_type}" ]; then
 > >    if [ -f "${firewall_type}" ]; then
 > >      ${fwcmd} ${firewall_flags} ${firewall_type}
 > >    else
 > >      if [ -d "${firewall_type}" ]; then
 > >        for fwfile in `rcorder $firewall_type/*`
 > >          do
 > >            ipfw -q $fwfile;
 > >        done
 > >      fi
 > >    fi
 > > 
 > > Is there a possibility of getting this into base?
 > > 
 > > -Dan

Getting code into rc.firewall has proven difficult over the years, for me impossible. It even took julian@ a couple of years to get a sensible use of tables into firewall_type 'simple' - but things may have changed.

I've tried rendering your code into the usual format below, saving a level of indenting with 'elif', and noting that '-q' and path is included in ${fwcmd} earlier in rc.firewall.

If it's really intended to launch multiple instances of ipfw, it may win more favour - as a bug / feature request as Kevin suggests - if you're sure how things like 'service ipfw status' or 'restart' handle them in /etc/rc.d/ipfw?

Good Luck, Ian

<code>
*)
	if [ -r "${firewall_type}" ]; then
		if [ -f "${firewall_type}" ]; then
			${fwcmd} ${firewall_flags} ${firewall_type}
		elif [ -d "${firewall_type}" ]; then
			for fwfile in `rcorder ${firewall_type}/*`
				do
					${fwcmd} ${firewall_flags} ${fwfile}
				done
		fi
	fi
	;;
</code>
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DED6C218-0517-4A0D-8C7A-1FDBFFC84A3D>