initial upload

roles/firewall/templates/etc_firewall_outbound_whitelist.acl.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for name in firewall_output_whitelist_domains %}
+{{ name }}
+{% endfor %}

roles/firewall/templates/etc_init.d_firewall.j2

@@ -0,0 +1,133 @@
+#!/bin/sh
+
+# {{ ansible_managed }}
+
+### BEGIN INIT INFO
+# Provides:          firewall
+# Required-Start:    $network
+# Required-Stop:     $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Set up iptables rules
+# Description:       Loads current iptables rules from/to /etc/firewall
+### END INIT INFO
+
+. /lib/lsb/init-functions
+
+PATH="/sbin:$PATH"
+
+rc=0
+
+flush_ipv4()
+{
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -P $chain ACCEPT
+	done
+	for table in $(iptables-save | awk '/^\*/ { print substr($1,2) }'); do
+		iptables -t $table -F
+		iptables -t $table -X
+		iptables -t $table -Z
+	done
+}
+
+flush_ipv6()
+{
+	for chain in INPUT FORWARD OUTPUT; do
+		ip6tables -P $chain ACCEPT
+	done
+	for table in $(ip6tables-save | awk '/^\*/ { print substr($1,2) }'); do
+		ip6tables -t $table -F
+		ip6tables -t $table -X
+		ip6tables -t $table -Z
+	done
+}
+
+load_rules()
+{
+	log_action_begin_msg "Loading iptables rules"
+
+	# load IPv4 rules
+	if [ ! -d /etc/firewall/rules-v4.d ]; then
+		log_action_cont_msg " skipping IPv4 (no rules to load)"
+	else
+		log_action_cont_msg " IPv4"
+
+		flush_ipv4
+		for frag in /etc/firewall/rules-v4.d/*.sh; do
+			if [ -r "$frag" ]; then
+				. "$frag"
+				if [ $? -ne 0 ]; then
+			    		rc=1
+				fi
+			fi
+		done
+	fi
+
+	# load IPv6 rules
+	if [ ! -d /etc/firewall/rules-v6.d ]; then
+		log_action_cont_msg " skipping IPv6 (no rules to load)"
+	else
+		log_action_cont_msg " IPv6"
+
+		flush_ipv6
+		for frag in /etc/firewall/rules-v6.d/*.sh; do
+			if [ -r "$frag" ]; then
+				. "$frag"
+				if [ $? -ne 0 ]; then
+			    		rc=1
+				fi
+			fi
+		done
+	fi
+
+	log_action_end_msg $rc
+}
+
+flush_rules()
+{
+	log_action_begin_msg "Flushing rules"
+
+	if [ ! -f /proc/net/ip_tables_names ]; then
+		log_action_cont_msg " skipping IPv4"
+	else
+		log_action_cont_msg " IPv4"
+		flush_ipv4
+	fi
+
+	if [ ! -f /proc/net/ip6_tables_names ]; then
+		log_action_cont_msg " skipping IPv6"
+	else
+		log_action_cont_msg " IPv6"
+		flush_ipv6
+	fi
+
+	log_action_end_msg 0
+}
+
+case "$1" in
+start|restart|reload|force-reload)
+	load_rules
+	;;
+stop)
+	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+	;;
+flush)
+	flush_rules
+	;;
+debug)
+	iptables() { echo "iptables $@"; }
+	ip6tables() { echo "ip6tables $@"; }
+	ipset() { echo "ipset $@"; }
+	log_action_begin_msg() { :; }
+	log_action_cont_msg() { :; }
+	log_action_end_msg() { :; }
+
+	load_rules
+	;;
+*)
+	echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
+	exit 1
+	;;
+esac
+
+exit $rc

roles/firewall/templates/rules-v4.d/10_conntrack.sh.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow established connections
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

roles/firewall/templates/rules-v4.d/15_local.sh.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow all traffic from localhost
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT

roles/firewall/templates/rules-v4.d/17_monitoring.sh.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+iptables -N monitoring-in
+
+{% for srcip in firewall_monitoring_ips|default([]) %}
+iptables -A INPUT -s {{ srcip }} -j monitoring-in
+{% endfor %}

roles/firewall/templates/rules-v4.d/18_internal.sh.j2

@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+{% if datacenter_global_networks is defined %}
+iptables -N internal-in
+{% if firewall_allow_internal_dns %}
+iptables -A internal-in -p tcp --dport 53 -m comment --comment "common-dns" -j ACCEPT
+iptables -A internal-in -p udp --dport 53 -m comment --comment "common-dns" -j ACCEPT
+{% endif %}
+
+{% for srcip in datacenter_global_networks + datacenter_public_networks %}
+iptables -A INPUT -s {{ srcip }} -j internal-in
+{% endfor %}
+
+iptables -N internal-out
+iptables -A internal-out -p tcp -m multiport --dports 53,80,443,2181,3306:3310,8086,10231 -m comment --comment "common-services" -j ACCEPT
+iptables -A internal-out -p udp --dport 53 -m comment --comment "common-dns" -j ACCEPT
+iptables -A internal-out -p tcp --dport 10514 -m owner --uid-owner 0 -m comment --comment "syslog" -j ACCEPT
+iptables -A internal-out -p icmp -j ACCEPT
+
+{% for dstip in datacenter_global_networks + datacenter_public_networks %}
+iptables -A OUTPUT -d {{ dstip }} -j internal-out
+{% endfor %}
+
+{% endif %}

roles/firewall/templates/rules-v4.d/20_whitelist.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% if firewall_whitelist_ip %}
+# Whitelist IPs
+{% for ip in firewall_whitelist_ip %}
+iptables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{% endfor %}
+{% endif %}

roles/firewall/templates/rules-v4.d/22_ssh.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# Allow SSH only from IPs:
+iptables -N ssh-in
+{% for ip in firewall_ssh_acl|default([]) + firewall_ssh_acl_extra|default([]) %}
+iptables -A ssh-in -s {{ ip }} -j ACCEPT
+{% endfor %}
+iptables -A INPUT -p tcp --dport 22 -m comment --comment "ssh" -j ssh-in

roles/firewall/templates/rules-v4.d/24_influxdb.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# Allow InfluxDB Replication only from IPs:
+iptables -N influx-in
+{% for ip in firewall_influx_acl|default([]) + firewall_influx_acl_extra|default([]) %}
+iptables -A influx-in -s {{ ip }} -j ACCEPT
+{% endfor %}
+iptables -A INPUT -p tcp --dport 8086 -m comment --comment "influx" -j influx-in

roles/firewall/templates/rules-v4.d/33_mariadb.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# Allow MariaDB Replication only from IPs:
+iptables -N mariadb-in
+{% for ip in firewall_mariadb_acl|default([]) + firewall_mariadb_acl_extra|default([]) %}
+iptables -A mariadb-in -s {{ ip }} -j ACCEPT
+{% endfor %}
+iptables -A INPUT -p tcp --dport 3306 -m comment --comment "mariadb" -j mariadb-in

roles/firewall/templates/rules-v4.d/50_custom.sh.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+{{ firewall_custom_ipv4_rules }}

roles/firewall/templates/rules-v4.d/85_whitelist.sh.j2

@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+{% if firewall_late_whitelist_ip %}
+# Whitelist IPs
+{%   for ip in firewall_late_whitelist_ip %}
+iptables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}
+
+{% if firewall_whitelist_office_ip and firewall_whitelist_office_ports %}
+# Offices  TODO remove
+{%   for ip in firewall_whitelist_office_ip %}
+iptables -A INPUT -s {{ ip }} -p tcp -m multiport --dports "{{ firewall_whitelist_office_ports | join(',') }}" -m comment --comment "office-whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}

roles/firewall/templates/rules-v4.d/90_allow_outbound.sh.j2

@@ -0,0 +1,69 @@
+# {{ ansible_managed }}
+
+{% if firewall_output_default_drop or firewall_output_whitelist_ipv4 %}
+{%   for ip in network_nameservers + ['8.8.8.8'] if ip|ipv4 %}
+{%     if loop.first %}
+# Allow DNS
+{%     endif %}
+iptables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT
+iptables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
+{%   endfor %}
+
+if getent group postfix >/dev/null 2>&1; then
+	# Permit outbound SMTP for Postfix only (TODO: move to postfix role)
+	iptables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT
+fi
+
+{%   if not (firewall_output_learning or firewall_output_whitelist_ipv4) %}
+# Permit outbound HTTP for user _apt
+iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT
+
+# Permit outbound SSH for normal users
+iptables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT
+
+# Allow all outbound traffic for the root user
+iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
+{%   endif %}
+
+{%   for ip in datacenter_global_networks|default([]) + datacenter_all_networks|default([]) %}
+iptables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT
+{%   endfor %}
+
+{%   if firewall_output_whitelist_domains %}
+# Outbound ACL for whitelist
+if [ -r /etc/firewall/outbound_whitelist_ipv4.acl ]; then
+
+	ipset -exist create outbound-whitelist hash:net counters comment
+	ipset flush outbound-whitelist
+	grep -v '^#' /etc/firewall/outbound_whitelist_ipv4.acl | while read ip name; do
+		ipset -exist add outbound-whitelist "$ip" comment "$name"
+	done < /etc/firewall/outbound_whitelist_ipv4.acl
+
+#	iptables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT
+fi
+{%   endif %}
+
+{%   if firewall_output_whitelist_ipv4 %}
+# Outbound ACL for whitelist
+iptables -N outbound-whitelist
+{%     for item in firewall_output_whitelist_ipv4 %}
+iptables -A outbound-whitelist -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT
+{%     endfor %}
+iptables -A OUTPUT -j outbound-whitelist
+{%   endif %}
+
+{%   if firewall_output_learning %}
+
+ipset -exist create outbound hash:ip counters
+
+iptables -A OUTPUT -p tcp --syn -m set --match-set outbound dst -j ACCEPT
+iptables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT
+
+iptables -A OUTPUT -p tcp --syn -j SET --add-set outbound dst
+iptables -A OUTPUT -p udp -j SET --add-set outbound dst
+
+iptables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid
+
+{%   endif %}
+
+{% endif %}

roles/firewall/templates/rules-v4.d/90_drop_all.sh.j2

@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+
+{% if firewall_input_default_drop %}
+# Allow Safe ICMP
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+#iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+
+# Drop everything else
+iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
+iptables -A INPUT -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} INPUT DROP: " --log-level 5
+iptables -A INPUT -j DROP
+{% endif %}
+
+{% if firewall_output_default_drop %}
+# Allow Safe ICMP
+iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+#iptables -A OUTPUT -p icmp --icmp-type redirect -j ACCEPT
+iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+
+# Drop everything else
+iptables -A OUTPUT -p tcp --syn -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+iptables -A OUTPUT ! -p tcp -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+iptables -A OUTPUT -j REJECT
+{% endif %}

roles/firewall/templates/rules-v4.d/95_fail2ban.sh.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+# Restart fail2ban
+if systemctl -q is-active fail2ban.service; then
+	systemctl try-restart fail2ban.service
+fi

roles/firewall/templates/rules-v6.d/10_conntrack.sh.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow established connections
+ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

roles/firewall/templates/rules-v6.d/15_local.sh.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow all traffic from localhost
+ip6tables -A INPUT -i lo -j ACCEPT
+ip6tables -A OUTPUT -o lo -j ACCEPT

roles/firewall/templates/rules-v6.d/18_internal.sh.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+{% if datacenter_global_networks is defined %}
+ip6tables -N internal-in
+ip6tables -A INPUT -s fe80::/10 -j internal-in
+ip6tables -A INPUT -s fc00::/7 -j internal-in
+{% for net in datacenter_public_ipv6_networks|default([]) %}
+ip6tables -A INPUT -s {{ net }} -j internal-in
+{% endfor %}
+
+ip6tables -N internal-out
+ip6tables -A internal-out -p tcp -m multiport --dports 53,80,443,3306:3310 -m comment --comment "common-services" -j ACCEPT
+ip6tables -A internal-out -p udp -m multiport --dports 53,123 -m comment --comment "common-services" -j ACCEPT
+ip6tables -A internal-out -p icmpv6 -j ACCEPT
+
+ip6tables -A OUTPUT -d fe80::/10 -j internal-out
+ip6tables -A OUTPUT -d fc00::/7 -j internal-out
+{% for net in datacenter_public_ipv6_networks|default([]) %}
+ip6tables -A OUTPUT -d {{ net }} -j internal-out
+{% endfor %}
+{% endif %}

roles/firewall/templates/rules-v6.d/20_whitelist.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% if firewall_whitelist_ipv6 %}
+# Whitelist IPs
+{%   for ip in firewall_whitelist_ipv6 %}
+ip6tables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}

roles/firewall/templates/rules-v6.d/50_custom.sh.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+{{ firewall_custom_ipv6_rules }}

roles/firewall/templates/rules-v6.d/85_whitelist.sh.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% if firewall_late_whitelist_ipv6 %}
+# Whitelist IPs
+{%   for ip in firewall_late_whitelist_ipv6 %}
+ip6tables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}

roles/firewall/templates/rules-v6.d/90_allow_outbound.sh.j2

@@ -0,0 +1,69 @@
+# {{ ansible_managed }}
+
+{% if firewall_output_default_drop or firewall_output_whitelist_ipv6 %}
+{%   for ip in network_nameservers if ip|ipv6 %}
+{%     if loop.first %}
+# Allow DNS
+{%     endif %}
+ip6tables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT
+ip6tables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
+{%   endfor %}
+
+if getent group postfix >/dev/null 2>&1; then
+	# Permit outbound SMTP for Postfix only (TODO: move to postfix role)
+	ip6tables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT
+fi
+
+{%   if not firewall_output_learning %}
+# Permit outbound HTTP for user _apt
+ip6tables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT
+
+# Permit outbound SSH for normal users
+ip6tables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT
+
+# Allow all outbound traffic for the root user
+ip6tables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
+{%   endif %}
+
+{%   for ip in datacenter_all_ipv6_networks|default([]) %}
+ip6tables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT
+{%   endfor %}
+
+{%   if firewall_output_whitelist_domains %}
+# Outbound ACL for whitelist
+if [ -r /etc/firewall/outbound_whitelist_ipv6.acl ]; then
+
+	ipset -exist create outbound-whitelist hash:net family inet6 counters comment
+	ipset flush outbound-whitelist
+	grep -v '^#' /etc/firewall/outbound_whitelist_ipv6.acl | while read ip name; do
+		ipset -exist add outbound-whitelist "$ip" comment "$name"
+	done < /etc/firewall/outbound_whitelist_ipv6.acl
+
+#	ip6tables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT
+fi
+{%   endif %}
+
+{%   if firewall_output_whitelist_ipv6 %}
+# Outbound ACL for whitelist
+ip6tables -N outbound-whitelist
+{%     for item in firewall_output_whitelist_ipv6 %}
+ip6tables -A OUTPUT -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT
+{%     endfor %}
+ip6tables -A OUTPUT -j outbound-whitelist
+{%   endif %}
+
+{%   if firewall_output_learning %}
+
+ipset -exist create outbound-ipv6 hash:ip family inet6 netmask 64 counters
+
+ip6tables -A OUTPUT -p tcp --syn -m set --match-set outbound-ipv6 dst -j ACCEPT
+ip6tables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT
+
+ip6tables -A OUTPUT -p tcp --syn -j SET --add-set outbound-ipv6 dst
+ip6tables -A OUTPUT -p udp -j SET --add-set outbound-ipv6 dst
+
+ip6tables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid
+
+{%   endif %}
+
+{% endif %}

roles/firewall/templates/rules-v6.d/90_drop_all.sh.j2

@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+{% if firewall_input_default_drop %}
+# Allow ICMP
+ip6tables -A INPUT -p icmpv6 -j ACCEPT
+
+# Drop everything else
+ip6tables -A INPUT -m pkttype --pkt-type broadcast -j DROP
+ip6tables -A INPUT -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} INPUT DROP: " --log-level 5
+ip6tables -A INPUT -j DROP
+{% endif %}
+
+{% if firewall_output_default_drop %}
+# Allow ICMP
+ip6tables -A OUTPUT -p icmpv6 ! --icmpv6-type echo-request -j ACCEPT
+
+# Drop everything else
+ip6tables -A OUTPUT -p tcp --syn -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+ip6tables -A OUTPUT ! -p tcp -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+ip6tables -A OUTPUT -j REJECT
+{% endif %}

roles/firewall/templates/usr_sbin_update-firewall-outbound.j2

@@ -0,0 +1,75 @@
+#!/bin/bash
+
+# Update /etc/firewall/outbound_whitelist_ipv*.acl from /etc/firewall/outbound_whitelist.acl
+
+resolve_hosts() {
+	local type="$1" out="$2"
+	local tmp=$(mktemp "$out.XXXXXX")
+
+	(
+		echo "# AUTO-GENERATED FROM outbound_whitelist.acl"
+		while read domain; do
+			case $domain in
+				"#"* | "")  ;;
+				*)
+					(host -t "$type" "$domain" 2>&1 || true) | sort -n | while read line; do
+						case $line in
+							*"not found"*)
+								echo "$line" >&2
+								;;
+							*"has address"*)
+								ip="${line##* }"
+								case $ip in
+									13.108.*) ip="13.108.0.0/14" ;;
+									*) ip="${ip%.*}.0/24" ;;
+								esac
+								echo "$ip $domain"
+								;;
+							*"has IPv6 address"*)
+								ip="${line##* }"
+								case $ip in
+									2607:f8b0:*) ip="2607:f8b0::/32" ;;
+									*) ip=$(ipv6calc --addr_to_uncompressed "$ip" | cut -d: -f1-4)::/64 ;;
+								esac
+								echo "$ip $domain"
+								;;
+						esac
+					done
+					;;
+			esac
+		done < /etc/firewall/outbound_whitelist.acl | sort -n -u
+	) > "$tmp"
+
+	if [ $? -ne 0 ]; then
+		echo "Error writing to $out" >&2
+		rm -f "$tmp"
+	elif cmp -s "$tmp" "$out"; then
+		rm -f "$tmp"
+	else
+		echo "--- Differences in $(basename $out): ---"
+		echo
+		diff -u "$out" "$tmp" | grep -v '^\(+++\|---\)' | grep '^[+-]'
+		echo
+		mv -f "$tmp" "$out"
+	fi
+}
+
+load_ipset() {
+	local name="$1" family="$2" file="$3"
+	local tmp="$name-$$"
+
+	ipset -exist create "$name" hash:net family "$family" counters comment
+
+	ipset create "$tmp" hash:net family "$family" counters comment
+	grep -v '^#' "$file" | while read ip name; do
+		ipset -exist add "$tmp" "$ip" comment "$name"
+	done
+	ipset swap "$name" "$tmp"
+	ipset destroy "$tmp"
+}
+
+resolve_hosts A /etc/firewall/outbound_whitelist_ipv4.acl
+resolve_hosts AAAA /etc/firewall/outbound_whitelist_ipv6.acl
+
+load_ipset outbound-whitelist inet /etc/firewall/outbound_whitelist_ipv4.acl
+load_ipset outbound-whitelist-ipv6 inet6 /etc/firewall/outbound_whitelist_ipv6.acl