Date: Thu, 01 Sep 2022 03:47:31 +1000 From: Ian Smith <smithi@nimnet.asn.au> To: questions@freebsd.org,"Dan Mahoney (Ports)" <freebsd@gushi.org> Cc: kpn@neutralgood.org Subject: Re: Firewall rules in a directory Message-ID: <DED6C218-0517-4A0D-8C7A-1FDBFFC84A3D@nimnet.asn.au> In-Reply-To: <D666503D-E5E2-4B6D-A960-A362EEFE6F95@gushi.org> References: <3FAB82EC-2C82-4201-AA47-B1AA92B89677@gushi.org> <D666503D-E5E2-4B6D-A960-A362EEFE6F95@gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30 August 2022 2:40:34 pm AEST, "Dan Mahoney (Ports)" <freebsd@gushi=2Eo=
rg> wrote:
> Note, this wasn=E2=80=99t intended to be =E2=80=9Chere=E2=80=99s a diff=
, please put it in=E2=80=9D,
> just an illustration of how trivial an addition it is=2E
>=20
> > On Aug 29, 2022, at 9:36 PM, Dan Mahoney (Ports)
> <freebsd@gushi=2Eorg> wrote:
> >=20
> > All,
> >=20
> > At the dayjob, we=E2=80=99ve taken to putting our ipfw rules into a
> directory using rcorder=E2=80=99able files=2E This way, each of our pu=
ppet
> manifests can drop its own rules into place without having to manage
> a monolithic file=2E
> >=20
> > It=E2=80=99s a simple patch to rc=2Efirewall, where if you set firewa=
ll_type
> to a file, it just runs it, but if it=E2=80=99s a directory, it would t=
reat
> it as such:
> >=20
> > *)
> > if [ -r "${firewall_type}" ]; then
> > if [ -f "${firewall_type}" ]; then
> > ${fwcmd} ${firewall_flags} ${firewall_type}
> > else
> > if [ -d "${firewall_type}" ]; then
> > for fwfile in `rcorder $firewall_type/*`
> > do
> > ipfw -q $fwfile;
> > done
> > fi
> > fi
> >=20
> > Is there a possibility of getting this into base?
> >=20
> > -Dan
Getting code into rc=2Efirewall has proven difficult over the years, for m=
e impossible=2E It even took julian@ a couple of years to get a sensible us=
e of tables into firewall_type 'simple' - but things may have changed=2E
I've tried rendering your code into the usual format below, saving a level=
of indenting with 'elif', and noting that '-q' and path is included in ${f=
wcmd} earlier in rc=2Efirewall=2E
If it's really intended to launch multiple instances of ipfw, it may win m=
ore favour - as a bug / feature request as Kevin suggests - if you're sure =
how things like 'service ipfw status' or 'restart' handle them in /etc/rc=
=2Ed/ipfw?
Good Luck, Ian
<code>
*)
if [ -r "${firewall_type}" ]; then
if [ -f "${firewall_type}" ]; then
${fwcmd} ${firewall_flags} ${firewall_type}
elif [ -d "${firewall_type}" ]; then
for fwfile in `rcorder ${firewall_type}/*`
do
${fwcmd} ${firewall_flags} ${fwfile}
done
fi
fi
;;
</code>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DED6C218-0517-4A0D-8C7A-1FDBFFC84A3D>