Bug 247695 - Is customizing /etc/rc.firewall risky?
Summary: Is customizing /etc/rc.firewall risky?
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 12.1-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-rc (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-01 18:17 UTC by Jason W. Bacon
Modified: 2021-05-14 13:22 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason W. Bacon freebsd_committer 2020-07-01 18:17:57 UTC
Is it really advisable to customize /etc/rc.firewall as the handbook suggests for client and simple rule sets?

I think we would want to update this file via freebsd-update at times, in which case preserving local modifications would be a nightmare as there's no telling what people might stick in there.

Would it perhaps be better to add something like

. /etc/rc.firewall.local

and tell users to put there customizations there?
Comment 1 Andriy Gapon freebsd_committer 2020-07-01 21:39:23 UTC
Is this a bug report? :)
Maybe mailing lists would be better?
Comment 2 Li-Wen Hsu freebsd_committer 2020-10-29 02:22:51 UTC
Could we close this ticket and move the discussion to mailing lists?
Comment 3 Jason W. Bacon freebsd_committer 2020-10-29 02:36:33 UTC
Sorry, I didn't see Andriy's reply before.

Yes, I think advising users to modify a file that could be overwritten by freebsd-update is a bug.  Most users would be extremely annoyed if they customized /etc/rc.firewall only to have their changes clobbered by a routine update.  Worse yet, they might not notice immediately that their firewall isn't protecting the system as expected. I would update the rc.firewall script to source a local customizations script that freebsd-update will never touch, and update the handbook occordingly.
Comment 4 Jason W. Bacon freebsd_committer 2020-10-29 02:51:19 UTC
Another option is rename the file /etc/rc.firewall.sample and add a comment in the file itself and the handbook telling users to copy it to /etc/rc.firewall.  freebsd-update would then only overwrite the .sample file, leaving the customized rules intact.
Comment 5 Rodney W. Grimes freebsd_committer 2021-05-14 13:22:29 UTC
No one should ever modify /etc/rc.firewall, and any recommendations to do so should be updated.  The PROPER way to do this is to copy the file to some other place, and override the /etc/default/rc.conf variable "firewall_script" to point to the new file:
firewall_script="/etc/firewall/firewall"
is an example from my systems.