Date: Fri, 26 Jun 2026 14:40:15 +0000 From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: a71abf38e2b4 - main - rc.firewall: Support on-disk lists Message-ID: <6a3e8f4f.1f1e2.17cad796@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=a71abf38e2b46c02965f3224c62bb6ef1971996e commit a71abf38e2b46c02965f3224c62bb6ef1971996e Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2026-06-26 14:38:53 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2026-06-26 14:38:53 +0000 rc.firewall: Support on-disk lists For firewall_allowservices and firewall_trusted, if an element of the list looks like an absolute path, read the file, skipping comments and blank lines, and treat the first word on each line as an address or subnet to be added to the list. We should probably be using tables instead, but this is still an improvement over the status quo ante. MFC after: 1 week Relnotes: yes Reviewed by: allanjude Differential Revision: https://reviews.freebsd.org/D57679 --- libexec/rc/rc.conf | 11 +++++++---- libexec/rc/rc.firewall | 43 ++++++++++++++++++++++++++++++++----------- 2 files changed, 39 insertions(+), 15 deletions(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 6e70baccac98..ab92a464b133 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -183,11 +183,14 @@ firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple" # for "simple" firewall. firewall_myservices="" # List of ports/protocols on which this host # offers services for "workstation" firewall. -firewall_allowservices="" # List of IPs which have access to +firewall_allowservices="" # List of IPs or subnets which have access to # $firewall_myservices for "workstation" - # firewall. -firewall_trusted="" # List of IPs which have full access to this - # host for "workstation" firewall. + # firewall, or of files containing lists of + # IPs or subnets, one per line. +firewall_trusted="" # List of IPs or subnets which have full access + # to this host for "workstation" firewall, or + # of files containing lists of IPs or subnets, + # one per line. firewall_logdeny="NO" # Set to YES to log default denied incoming # packets for "workstation" firewall. firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports diff --git a/libexec/rc/rc.firewall b/libexec/rc/rc.firewall index 65bf1cc54f85..f3e1ea116522 100644 --- a/libexec/rc/rc.firewall +++ b/libexec/rc/rc.firewall @@ -406,10 +406,14 @@ case ${firewall_type} in # firewall_myservices: List of ports/protocols on which this # host offers services. # firewall_allowservices: List of IPv4 and/or IPv6 addresses - # that have access to - # $firewall_myservices. + # or subnets that have access to + # $firewall_myservices, or files + # containing such address or subnets, + # one per line. # firewall_trusted: List of IPv4 and/or IPv6 addresses - # that have full access to this host. + # or subnets that have full access to + # this host, or files containing such + # addresses or subnets, one per line. # Be very careful when setting this. # This option can seriously degrade # the level of protection provided by @@ -467,25 +471,33 @@ case ${firewall_type} in # workstation won't be a problem. # for i in ${firewall_allowservices} ; do + case $i in + /*) + grep '^[^#]' "$i" + ;; + *) + echo "$i" + ;; + esac + done | while read i _; do for j in ${firewall_myservices} ; do case $j in [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo]) ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me - ;; + ;; [0-9A-Za-z]*/[Tt][Cc][Pp]) ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]} - ;; + ;; [0-9A-Za-z]*/[Uu][Dd][Pp]) ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]} - ;; + ;; *[0-9A-Za-z]) - echo "Consider using ${j}/tcp in firewall_myservices." \ - > /dev/stderr + echo "Consider using ${j}/tcp in firewall_myservices." >&2 ${fwcmd} add pass tcp from $i to me $j - ;; + ;; *) - echo "Invalid port in firewall_myservices: $j" > /dev/stderr - ;; + echo "Invalid port in firewall_myservices: $j" >&2 + ;; esac done done @@ -494,6 +506,15 @@ case ${firewall_type} in # Playing with the content of firewall_trusted could seriously # degrade the level of protection provided by the firewall. for i in ${firewall_trusted} ; do + case $i in + /*) + grep '^[^#]' "$i" + ;; + *) + echo "$i" + ;; + esac + done | while read i _ ; do ${fwcmd} add pass ip from $i to me donehome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a3e8f4f.1f1e2.17cad796>
