From nobody Wed Aug 31 17:47:31 2022 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHsDg6ksCz4Zm4W for ; Wed, 31 Aug 2022 17:51:31 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from se6.syd.hostingplatform.net.au (se6.syd.hostingplatform.net.au [IPv6:2400:b800:5::52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4MHsDf363rz46K9 for ; Wed, 31 Aug 2022 17:51:29 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from s121.syd3.hostingplatform.net.au ([103.27.34.4]) by se6.syd.hostingplatform.net.au with esmtps (TLSv1.2:AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from ) id 1oTRrr-0007Ql-Pf for questions@freebsd.org; Thu, 01 Sep 2022 03:51:16 +1000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nimnet.asn.au; s=default; h=Message-ID:From:CC:To:Subject: Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To: Date:Sender:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Nb4ObUJ9bR/XphZJZfFG+57jnpBRDUN2Bm+okej8jLg=; b=TTejqvspCkGrPJZp4y2A3KKoV7 YAFwbF3geQOJDVrF5AQD0opHOehztzbGMwrwj9W1aTO6+6fklysmWsTfGM4WvXizeZASxeNV0ol6H QA5iPXegscd91pgy+jvJBKvARQgw/8emKiOALiXwW/gG3qIOKqBp1tVCYWx8DQYv1FbCcMIKhA7yI g+wN8Jge9BEOa5BYrxJ9xqAtWPFdcpiyQZoOtfscvcJlBZScDThIPj8SzkA912lDJeKPSzwgxwvKd XcYRAUVALFwD/NHA6OxJgBU9AfZsyNnPN/T99OYILzcLBA4+01X/8ONa5dxrq2lYQQPcXK/fUwJv/ K0VhFW9A==; Received: from [1.145.94.122] (port=1291 helo=Galaxy-J5-Pro) by s121.syd3.hostingplatform.net.au with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.95) (envelope-from ) id 1oTRro-003vIW-SS; Thu, 01 Sep 2022 03:51:09 +1000 Date: Thu, 01 Sep 2022 03:47:31 +1000 User-Agent: K-9 Mail for Android In-Reply-To: References: <3FAB82EC-2C82-4201-AA47-B1AA92B89677@gushi.org> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Firewall rules in a directory To: questions@freebsd.org,"Dan Mahoney (Ports)" CC: kpn@neutralgood.org From: Ian Smith Message-ID: X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - s121.syd3.hostingplatform.net.au X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - nimnet.asn.au X-Get-Message-Sender-Via: s121.syd3.hostingplatform.net.au: authenticated_id: smithi@nimnet.asn.au X-Authenticated-Sender: s121.syd3.hostingplatform.net.au: smithi@nimnet.asn.au X-Source: X-Source-Args: X-Source-Dir: X-Originating-IP: 103.27.34.4 X-SpamExperts-Domain: out-3.hostingplatform.net.au X-SpamExperts-Username: 103.27.34.4 X-SpamExperts-Outgoing-Class: ham X-SpamExperts-Outgoing-Evidence: Combined (0.15) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5xvLEOBbT1XKgR/Y7v+xkdqSkoRUrY7wjLKakXn3YGqrtcV PSoHm0W/3adFfiYl2nvz3bkJSBC2JeSBt+6qmwro/T4GcPvCLvSpAEEGy7kYxorAt+siDBP9xxcm oVGDOrNVGrp2mkTqyqZTeTGseBN6/d0AYNGYr7n+czsY+uWgfx6IjGdSKn6aI9pXlx3shQzV784Z AnZq2JW70fAC9gkiwEjU70hqHQfv/n8OIGkOTmNQ4NQp/4X4JvMf78aNCvMAKQlQdTfwbSciar+2 JCMst0dEunmtVTQWqR0MJGYnYGBIZS4rRgm1GD0QN7Psq7kMoOLjGsRz/MUE6aIZoCcUNXR4aVG4 tVHU1Zldyy+zffRki4F4QVFPj2p7OlUOs27n+17tVhIdLDeSsKRuXhdvL4QFy0eB/isP83e9uHLE BeHTPI/rzJIRbhotX0RECi7kpFW0bjAnA2u5xu022M/lLUw5MY3VG0HxGZ+ft/9JF4FwePnf9uyw M+J4ElP9X0HdZh03ExTqDquACpNsmDrlcntZzD+8euQ3PTJH+fGZGHMcN6qoXPjenLhIOF1oeRb8 2hx/5HnfpIsCd/W/PCtCi2Z2wpYgSa3EQIt61zmxY06i9ynVSWJ1oq746hOmlq4ZbxiCGDthfkCX 0CVoFc3euSKNTEp3fPS9t/vPx+AgLE1ApSwq92znw3dBwC5byCaLBDMrD7q/cJogwbqzsuok7gAQ YIqiHEj3Pcep26XdvnOs3oJxPwTOpF2Q4nG0t+hlMDvY1Q26cFutbiPIGy6VFuCV4PtqXxFKcuxU CDv+6tm00feOc+fQGEJzsUbnsCPlu6BVLnOB/rt7wcDbbBA00xmQvzCpA0tU+p9L3xZQP9NlaWnT QEdHUkdr3oHZsGDOnC5s/4F8e5uR/xqqfZWkNKQUobI7huBVoZeJJKD+WKEsmgNU80KTDQcWwe0S 4mB30j5nlErnGbOGRQ3KaeE391IyW7bVDpANUQvyZzPgihL3FhyCT+8vOSJGHGnDZXw8f9eIYW4H Vh/UxFgv3Vl8SugHuMPfP9NtOxkpv0M3bEqPjumnp8Gmev19nmuGQVM= X-Report-Abuse-To: spam@se.syd.hostingplatform.net.au X-Rspamd-Queue-Id: 4MHsDf363rz46K9 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=nimnet.asn.au header.s=default header.b=TTejqvsp; dmarc=none; spf=pass (mx1.freebsd.org: domain of smithi@nimnet.asn.au designates 2400:b800:5::52 as permitted sender) smtp.mailfrom=smithi@nimnet.asn.au X-Spamd-Result: default: False [-3.50 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2400:b800:5:0::49/123]; R_DKIM_ALLOW(-0.20)[nimnet.asn.au:s=default]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; DMARC_NA(0.00)[nimnet.asn.au]; ARC_NA(0.00)[]; HAS_X_GMSV(0.00)[smithi@nimnet.asn.au]; TO_MATCH_ENVRCPT_SOME(0.00)[]; HAS_X_AS(0.00)[smithi@nimnet.asn.au]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:45638, ipnet:2400:b800:5::/48, country:AU]; HAS_X_SOURCE(0.00)[]; TO_DN_SOME(0.00)[]; HAS_XOIP(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; HAS_X_ANTIABUSE(0.00)[]; DKIM_TRACE(0.00)[nimnet.asn.au:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 30 August 2022 2:40:34 pm AEST, "Dan Mahoney (Ports)" wrote: > Note, this wasn=E2=80=99t intended to be =E2=80=9Chere=E2=80=99s a diff= , please put it in=E2=80=9D, > just an illustration of how trivial an addition it is=2E >=20 > > On Aug 29, 2022, at 9:36 PM, Dan Mahoney (Ports) > wrote: > >=20 > > All, > >=20 > > At the dayjob, we=E2=80=99ve taken to putting our ipfw rules into a > directory using rcorder=E2=80=99able files=2E This way, each of our pu= ppet > manifests can drop its own rules into place without having to manage > a monolithic file=2E > >=20 > > It=E2=80=99s a simple patch to rc=2Efirewall, where if you set firewa= ll_type > to a file, it just runs it, but if it=E2=80=99s a directory, it would t= reat > it as such: > >=20 > > *) > > if [ -r "${firewall_type}" ]; then > > if [ -f "${firewall_type}" ]; then > > ${fwcmd} ${firewall_flags} ${firewall_type} > > else > > if [ -d "${firewall_type}" ]; then > > for fwfile in `rcorder $firewall_type/*` > > do > > ipfw -q $fwfile; > > done > > fi > > fi > >=20 > > Is there a possibility of getting this into base? > >=20 > > -Dan Getting code into rc=2Efirewall has proven difficult over the years, for m= e impossible=2E It even took julian@ a couple of years to get a sensible us= e of tables into firewall_type 'simple' - but things may have changed=2E I've tried rendering your code into the usual format below, saving a level= of indenting with 'elif', and noting that '-q' and path is included in ${f= wcmd} earlier in rc=2Efirewall=2E If it's really intended to launch multiple instances of ipfw, it may win m= ore favour - as a bug / feature request as Kevin suggests - if you're sure = how things like 'service ipfw status' or 'restart' handle them in /etc/rc= =2Ed/ipfw? Good Luck, Ian *) if [ -r "${firewall_type}" ]; then if [ -f "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} elif [ -d "${firewall_type}" ]; then for fwfile in `rcorder ${firewall_type}/*` do ${fwcmd} ${firewall_flags} ${fwfile} done fi fi ;;