Page MenuHomeFreeBSD
Files F160537963

D57679.id180089.diff
No OneTemporary
Actions

D57679.id180089.diff
View Options

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -182,11 +182,14 @@
# for "simple" firewall.
firewall_myservices="" # List of ports/protocols on which this host
# offers services for "workstation" firewall.
-firewall_allowservices="" # List of IPs which have access to
+firewall_allowservices="" # List of IPs or subnets which have access to
# $firewall_myservices for "workstation"
- # firewall.
-firewall_trusted="" # List of IPs which have full access to this
- # host for "workstation" firewall.
+ # firewall, or of files containing lists of
+ # IPs or subnets, one per line.
+firewall_trusted="" # List of IPs or subnets which have full access
+ # to this host for "workstation" firewall, or
+ # of files containing lists of IPs or subnets,
+ # one per line.
firewall_logdeny="NO" # Set to YES to log default denied incoming
# packets for "workstation" firewall.
firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
diff --git a/libexec/rc/rc.firewall b/libexec/rc/rc.firewall
--- a/libexec/rc/rc.firewall
+++ b/libexec/rc/rc.firewall
@@ -406,10 +406,14 @@
# firewall_myservices: List of ports/protocols on which this
# host offers services.
# firewall_allowservices: List of IPv4 and/or IPv6 addresses
- # that have access to
- # $firewall_myservices.
+ # or subnets that have access to
+ # $firewall_myservices, or files
+ # containing such address or subnets,
+ # one per line.
# firewall_trusted: List of IPv4 and/or IPv6 addresses
- # that have full access to this host.
+ # or subnets that have full access to
+ # this host, or files containing such
+ # addresses or subnets, one per line.
# Be very careful when setting this.
# This option can seriously degrade
# the level of protection provided by
@@ -467,25 +471,30 @@
# workstation won't be a problem.
#
for i in ${firewall_allowservices} ; do
+ if [ -f "$i" ]; then
+ grep '^[^#]' "$i"
+ else
+ echo "$i"
+ fi
+ done | while read i _; do
for j in ${firewall_myservices} ; do
case $j in
[0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo])
${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me
- ;;
+ ;;
[0-9A-Za-z]*/[Tt][Cc][Pp])
${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]}
- ;;
+ ;;
[0-9A-Za-z]*/[Uu][Dd][Pp])
${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]}
- ;;
+ ;;
*[0-9A-Za-z])
- echo "Consider using ${j}/tcp in firewall_myservices." \
- > /dev/stderr
+ echo "Consider using ${j}/tcp in firewall_myservices." >&2
${fwcmd} add pass tcp from $i to me $j
- ;;
+ ;;
*)
- echo "Invalid port in firewall_myservices: $j" > /dev/stderr
- ;;
+ echo "Invalid port in firewall_myservices: $j" >&2
+ ;;
esac
done
done
@@ -494,6 +503,12 @@
# Playing with the content of firewall_trusted could seriously
# degrade the level of protection provided by the firewall.
for i in ${firewall_trusted} ; do
+ if [ -f "$i" ]; then
+ grep '^[^#]' "$i"
+ else
+ echo "$i"
+ fi
+ done | while read i _ ; do
${fwcmd} add pass ip from $i to me
done

File Metadata

Mime Type
text/plain
Expires
Fri, Jun 26, 11:20 AM (3 h, 20 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
34193168
Default Alt Text
D57679.id180089.diff (3 KB)

Event Timeline