ipfw: Add option for firewall_type to be a directory

If specified, this will run rcorder over a directory.  A small subset of examples is also provided

Signed-off-by: Dan Mahoney <[email protected]>

Author: thegushi

libexec/rc/rc.firewall

@@ -547,7 +547,16 @@ case ${firewall_type} in
 	;;
 *)
 	if [ -r "${firewall_type}" ]; then
-		${fwcmd} ${firewall_flags} ${firewall_type}
+		if [ -f "${firewall_type}" ]; then
+			${fwcmd} ${firewall_flags} ${firewall_type}
+		else
+		if [ -d "${firewall_type}" ]; then
+			for fwfile in `rcorder $firewall_type/*`
+			do
+				ipfw -q $fwfile;
+			done
+			fi
+		fi
 	fi
 	;;
 esac

share/examples/ipfw.d/final

@@ -0,0 +1,13 @@
+#
+# PROVIDE: final
+# REQUIRE: setup services outbound routing
+#
+
+#
+add allow tcp from me to any out setup // default outbound 
+
+# silently ignore local multicast
+add deny ip from any to 224.0.0.0/4 // drop multicast
+
+# drop and log everything else
+add reset log ip from any to any

share/examples/ipfw.d/ntp_client

@@ -0,0 +1,11 @@
+# REQUIRE: outbound
+# PROVIDE: ntp_client ntp_servers
+# BEFORE: final
+
+table ntp_servers create
+
+# Uncomment and your NTP servers (if they are on known ips in your network) to the following table:
+
+# table ntp_servers add x.x.x.x
+
+add allow ip from me to table(ntp_servers) 123 keep-state // NTP outbound

share/examples/ipfw.d/outbound

@@ -0,0 +1,6 @@
+#
+# REQUIRE: services
+# PROVIDE: outbound
+# BEFORE: final
+#
+# meta class - adds no rules

share/examples/ipfw.d/routing

@@ -0,0 +1,6 @@
+#
+# REQUIRE: setup
+# PROVIDE: routing
+# BEFORE: services
+#
+# meta class - adds no rules

share/examples/ipfw.d/services

@@ -0,0 +1,5 @@
+# REQUIRE: setup routing
+# PROVIDE: services
+# BEFORE: outbound
+#
+# meta class - adds no rules

share/examples/ipfw.d/setup

@@ -0,0 +1,47 @@
+#
+# PROVIDE: setup blocked bogons
+# BEFORE: services routing outbound final
+#
+
+# remove all existing tables
+table all destroy
+table blocked create
+
+# standard (non-service specific) tables
+table bogons create
+table bogons add 0.0.0.0/8
+table bogons add 10.0.0.0/8
+table bogons add 172.12.0.0/12
+table bogons add 192.168.0.0/16
+table bogons add 169.254.0.0/16
+table bogons add 240.0.0.0/4
+
+# permit existing TCP sessions
+add allow tcp from any to any established
+
+# permit internal loopback traffic
+add allow ip from any to any via lo0
+add allow ip from any to any via lo1
+
+# deny directed loopback traffic
+add deny ip from any to 127.0.0.0/8 in
+add deny ip from any to ::/64 in
+
+# deny unexpected sources
+add deny ip from table(bogons) to me in // unexpected sources
+
+# deny explicitly disabled (non-persistent) sources
+add deny ip from table(blocked) to me in // emergency (non-persistent) blocklist
+
+# allow bsd-standard-port traceroutes
+add allow udp from me to any 33434-33600 // traceroute in
+add allow udp from any to me 33434-33600 // traceroute out
+
+# moderately permissive ICMPv4
+add allow icmp from any to any icmptypes 0,3,8,11,13,14 // safe ICMPv4
+
+# link-local ICMPv6 (RS, RA, NS, NA) - per FreeBSD standard rules
+add allow ipv6-icmp from :: to fe80::/10 // ICMPv6 DAD
+add allow ipv6-icmp from fe80::/10 to fe80::/10 // ICMPv6 NDP
+add allow ipv6-icmp from fe80::/10 to ff02::/16 // ICMPv6 NDP
+add allow ipv6-icmp from any to any icmp6types 1,2,3,128,129,135,136 // safe ICMPv6

share/examples/ipfw.d/ssh_service

@@ -0,0 +1,7 @@
+# REQUIRE: services
+# PROVIDE: ssh_service ssh_clients
+# BEFORE: outbound
+
+table ssh_clients create
+
+add allow tcp from table(ssh_clients) to me 22 in setup	        // inbound SSH