From owner-freebsd-questions@FreeBSD.ORG  Sat Feb  7 18:40:28 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3858EAE7
 for <questions@freebsd.org>; Sat,  7 Feb 2015 18:40:28 +0000 (UTC)
Received: from prime.gushi.org (prime.gushi.org [IPv6:2001:4f8:3:3d::42])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "prime.gushi.org", Issuer "RapidSSL CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 10F9295A
 for <questions@freebsd.org>; Sat,  7 Feb 2015 18:40:28 +0000 (UTC)
Received: from prime.gushi.org (localhost [127.0.0.1])
 by prime.gushi.org (8.14.5/8.14.5) with ESMTP id t17IeOUL090037
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Sat, 7 Feb 2015 10:40:25 -0800 (PST)
 (envelope-from danm@prime.gushi.org)
DKIM-Filter: OpenDKIM Filter v2.9.2 prime.gushi.org t17IeOUL090037
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org;
 s=prime2014; t=1423333790;
 bh=nMhy1T3ARpg4pqJMUcWlprpqcIAXUCTDYGZoh9isZN8=;
 h=Date:From:To:cc:Subject:In-Reply-To:References;
 z=Date:=20Sat,=207=20Feb=202015=2010:40:22=20-0800=20(PST)|From:=20
 "Dan=20Mahoney,=20System=20Admin"=20<danm@prime.gushi.org>|To:=20A
 rthur=20Chance=20<freebsd@qeng-ho.org>|cc:=20questions@freebsd.org
 |Subject:=20Re:=20IPFW=20script=20that=20supports=20some=20kind=20
 of=20rc.d=20directory?|In-Reply-To:=20<54D5EC86.6050806@qeng-ho.or
 g>|References:=20<alpine.BSF.2.00.1502070159120.13139@prime.gushi.
 org>=20<54D5EC86.6050806@qeng-ho.org>;
 b=Tn8W/vxljD918NBKWg7ry0lrwkpCqXwD7Psu7jtOHZwi52jWfpFZyplAIj+xwmfEp
 mxIpiaz5Ru3hmN/+uTuduvqjcpk78qSfsTzrlkXa8B0ATGu5tdhmioBmrUhlXhYgJ9
 Hax+K66lnHmAnU1pc4V139lFDywiEAROSBR+uONaa0ab5ltogzgKwI1NODfG65vbyg
 diX04Ykf62iirDwVlFXcBn0+y5nYoot4WRSyA+Aak6knnbHeZNOU8ThNj9tkjtBrWV
 ipSMB8q3pPLep/bJocyqeQcE/Yacm2ok/x9n0nHP31VI8kEs4e+bCyZOoX0E2OkaBQ
 iiHAznZYkLEig==
Received: (from danm@localhost)
 by prime.gushi.org (8.14.5/8.14.5/Submit) id t17IeOWJ090036;
 Sat, 7 Feb 2015 10:40:24 -0800 (PST) (envelope-from danm)
Date: Sat, 7 Feb 2015 10:40:22 -0800 (PST)
From: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
To: Arthur Chance <freebsd@qeng-ho.org>
Subject: Re: IPFW script that supports some kind of rc.d directory?
In-Reply-To: <54D5EC86.6050806@qeng-ho.org>
Message-ID: <alpine.BSF.2.00.1502071007000.16762@prime.gushi.org>
References: <alpine.BSF.2.00.1502070159120.13139@prime.gushi.org>
 <54D5EC86.6050806@qeng-ho.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
X-OpenPGP-Key-ID: 0x624BB249
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (prime.gushi.org [127.0.0.1]); Sat, 07 Feb 2015 18:29:51 +0000 (UTC)
Cc: questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Feb 2015 18:40:28 -0000

On Sat, 7 Feb 2015, Arthur Chance wrote:

> On 07/02/2015 10:02, Dan Mahoney, System Admin wrote:
>> Hey all,
>> 
>> This seems like the kind of thing that people have needed often enough
>> -- for example when you want to have specific ipfw rules for specific
>> installed services, and your ipfw config to be multiple files loaded in
>> some kind of order, but my google-fu is failing me.
>> 
>> Failing that, I know FreeBSD has some rcorder, which might be usable for
>> this, but I don't know if it's extensible to a whole separate class of
>> things (or if trying to do that is overkill).
>> 
>> Is this a problem someone else has had/solved before?
>> 
>
> I've no idea if someone has already done this, but the final form of ipfw in 
> the manual is
>
> ipfw [-cfnNqS] [-p preproc [preproc-flags]] pathname
>
> Using cpp as the preprocessor (or maybe m4 if you're a quote loving masochist 
> :-) would let you use #include or the equivalent. That's not quite up what 
> you're asking, but a start. m4 with syscmd and (s)include would go further.

Assuming I numbered the rules files like old sys-v rcfiles, It could be 
as simple as:

for i in `ls /etc/rc.ipfw.d | sort` do
cat $i >> $file
done
ipfw $file

Or even:

for i in `ls /etc/rc.ipfw.d | sort` do
ipfw $file
done

But I can't imagine with the prevalance of puppet, cfengine and ansible 
and other things these days, someone hasn't come up with something 
prettier, something that doesn't let rule 19 out of 20 crash the whole 
thing, and perhaps something that lets you compare the built rules with 
the running ruleset.

I'd love to see base gain such a thing, such that if you set 
$firewall_type=a directory, rather than a file, this just happened.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------