Is it really advisable to customize /etc/rc.firewall as the handbook suggests for client and simple rule sets?
I think we would want to update this file via freebsd-update at times, in which case preserving local modifications would be a nightmare as there's no telling what people might stick in there.
Would it perhaps be better to add something like
and tell users to put there customizations there?
Is this a bug report? :)
Maybe mailing lists would be better?
Could we close this ticket and move the discussion to mailing lists?
Sorry, I didn't see Andriy's reply before.
Yes, I think advising users to modify a file that could be overwritten by freebsd-update is a bug. Most users would be extremely annoyed if they customized /etc/rc.firewall only to have their changes clobbered by a routine update. Worse yet, they might not notice immediately that their firewall isn't protecting the system as expected. I would update the rc.firewall script to source a local customizations script that freebsd-update will never touch, and update the handbook occordingly.
Another option is rename the file /etc/rc.firewall.sample and add a comment in the file itself and the handbook telling users to copy it to /etc/rc.firewall. freebsd-update would then only overwrite the .sample file, leaving the customized rules intact.
No one should ever modify /etc/rc.firewall, and any recommendations to do so should be updated. The PROPER way to do this is to copy the file to some other place, and override the /etc/default/rc.conf variable "firewall_script" to point to the new file:
is an example from my systems.