Bring rc.firewall{,6} more in line with the word and spirit of

rc.conf(5) and the files' inline documentation.

  - Add the "closed"-type, documented in both places, but which did not
    exist in the code.

  - When provided a ruleset, the system should not make any assumptions
    about the sites's policy and should add no rules of its own.

  - Make the "UNKNOWN" (documented in-line) actual work as advertised,
    load no rules.

Prodded by:	Igor M Podlesny <poige@morning.ru>
MFC after:	1 week

etc/rc.firewall

@@ -76,6 +76,15 @@ fi
 #	http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html
 #
 
+setup_loopback () {
+	############
+	# Only in rare cases do you want to change these rules
+	#
+	${fwcmd} add 100 pass all from any to any via lo0
+	${fwcmd} add 200 deny all from any to 127.0.0.0/8
+	${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
+}
+
 if [ -n "${1}" ]; then
 	firewall_type="${1}"
 fi
@@ -125,18 +134,12 @@ esac
 #
 # ${fwcmd} add 65000 pass all from any to any
 
-############
-# Only in rare cases do you want to change these rules
-#
-${fwcmd} add 100 pass all from any to any via lo0
-${fwcmd} add 200 deny all from any to 127.0.0.0/8
-${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
-
 
 # Prototype setups.
 #
 case ${firewall_type} in
 [Oo][Pp][Ee][Nn])
+	setup_loopback
 	${fwcmd} add 65000 pass all from any to any
 	;;
 
@@ -151,6 +154,8 @@ case ${firewall_type} in
 	mask="255.255.255.0"
 	ip="192.0.2.1"
 
+	setup_loopback
+
 	# Allow any traffic to or from my own net.
 	${fwcmd} add pass all from ${ip} to ${net}:${mask}
 	${fwcmd} add pass all from ${net}:${mask} to ${ip}
@@ -200,6 +205,8 @@ case ${firewall_type} in
 	imask="255.255.255.240"
 	iip="192.0.2.17"
 
+	setup_loopback
+
 	# Stop spoofing
 	${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
 	${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
@@ -281,6 +288,9 @@ case ${firewall_type} in
 	# config file.
 	;;
 
+[Cc][Ll][Oo][Ss][Ee][Dd])
+	setup_loopback
+	;;
 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
 	;;
 *)

etc/rc.firewall6

@@ -49,6 +49,21 @@ fi
 #	http://www.awlonline.com/product/0%2C2627%2C0201633574%2C00.html
 #
 
+setup_local () {
+	############
+	# Only in rare cases do you want to change these rules
+	#
+	${fw6cmd} add 100 pass all from any to any via lo0
+	#
+	# ND
+	#
+	# DAD
+	${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
+	# RS, RA, NS, NA, redirect...
+	${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
+	${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
+}
+
 if [ -n "${1}" ]; then
 	ipv6_firewall_type="${1}"
 fi
@@ -78,24 +93,12 @@ ${fw6cmd} -f flush
 #
 # ${fw6cmd} add 65000 pass all from any to any
 
-############
-# Only in rare cases do you want to change these rules
-#
-${fw6cmd} add 100 pass all from any to any via lo0
-#
-# ND
-#
-# DAD
-${fw6cmd} add pass ipv6-icmp from :: to ff02::/16
-# RS, RA, NS, NA, redirect...
-${fw6cmd} add pass ipv6-icmp from fe80::/10 to fe80::/10
-${fw6cmd} add pass ipv6-icmp from fe80::/10 to ff02::/16
-
 
 # Prototype setups.
 #
 case ${ipv6_firewall_type} in
 [Oo][Pp][Ee][Nn])
+	setup_local
 	${fw6cmd} add 65000 pass all from any to any
 	;;
 
@@ -113,6 +116,8 @@ case ${ipv6_firewall_type} in
 	prefixlen="64"
 	ip="3ffe:505:2:1::1"
 
+	setup_local
+
 	# Allow any traffic to or from my own net.
 	${fw6cmd} add pass all from ${ip} to ${net}/${prefixlen}
 	${fw6cmd} add pass all from ${net}/${prefixlen} to ${ip}
@@ -174,6 +179,8 @@ case ${ipv6_firewall_type} in
 	iprefixlen="64"
 	iip="3ffe:505:2:2::1"
 
+	setup_local
+
 	# Stop spoofing
 	${fw6cmd} add deny all from ${inet}/${iprefixlen} to any in via ${oif}
 	${fw6cmd} add deny all from ${onet}/${oprefixlen} to any in via ${iif}
@@ -265,6 +272,10 @@ case ${ipv6_firewall_type} in
 	# config file.
 	;;
 
+[Cc][Ll][Oo][Ss][Ee][Dd])
+	# Only enable the loopback interface
+	${fw6cmd} add 100 pass all from any to any via lo0
+	;;
 [Uu][Nn][Kk][Nn][Oo][Ww][Nn])
 	;;
 *)