firewall: Move remaining setup steps to Plinth

There is no need to restart firewalld after the setup steps run. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-03-11 09:04:54 +00:00 · 2017-08-31 19:28:26 +05:30 · 2017-08-31 19:28:26 +05:30 · 2e55acb465
commit 2e55acb465
parent f5a5ee1f04
3 changed files with 25 additions and 74 deletions
--- a/actions/firewall
+++ b/actions/firewall
@ -30,6 +30,9 @@ def parse_arguments():
    parser = argparse.ArgumentParser()
    subparsers = parser.add_subparsers(dest='subcommand', help='Sub command')

+    # Setup
+    subparsers.add_parser('setup', help='Perform basic firewall setup')
+
    # Get status
    subparsers.add_parser('get-status',
                          help='Get whether firewalld is running')
@ -61,6 +64,18 @@ def parse_arguments():
    return parser.parse_args()


+def subcommand_setup(_):
+    """Perform basic firewalld setup."""
+    subprocess.call(['firewall-cmd', '--set-default-zone=external'])
+
+    add_service('external', 'http')
+    add_service('internal', 'http')
+    add_service('external', 'https')
+    add_service('internal', 'https')
+    add_service('internal', 'dns')
+    add_service('internal', 'dhcp')
+
+
 def subcommand_get_status(_):
    """Print status of the firewalld service"""
    subprocess.call(['firewall-cmd', '--state'])
@ -73,11 +88,15 @@ def subcommand_get_enabled_services(arguments):


 def subcommand_add_service(arguments):
-    """Permit a service in the firewall"""
-    subprocess.call(['firewall-cmd', '--zone', arguments.zone, '--add-service',
-                     arguments.service])
-    subprocess.call(['firewall-cmd', '--zone', arguments.zone, '--permanent',
-                     '--add-service', arguments.service])
+    """Permit a service in the firewall."""
+    add_service(arguments.zone, arguments.service)
+
+
+def add_service(zone, service):
+    """Permit a service in the firewall."""
+    subprocess.call(['firewall-cmd', '--zone', zone, '--add-service', service])
+    subprocess.call(['firewall-cmd', '--zone', zone, '--permanent',
+                     '--add-service', service])


 def subcommand_remove_service(arguments):
--- a/data/usr/lib/freedombox/first-run.d/90_firewall
+++ b/data/usr/lib/freedombox/first-run.d/90_firewall
@ -1,69 +0,0 @@
-#!/bin/sh
-#
-# This file is part of Plinth.
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-# Exit with an error code on any failure
-set -e
-
-# Enable tracing to see the commands in
-# /var/log/freedombox-first-run.log
-set -x
-
-# Set the default firewall zone.  When network connections are
-# configured outside of FreedomBox/Plinth, they will not be able to
-# serve the Plinth web interface.  This is because all such interfaces
-# will fall in the default firewall zone and that is, by default,
-# 'public'.  On 'public' zone we don't allow Plinth web interface as
-# this zone is not managed.
-#
-# Configuration of network connections happen outside for
-# FreedomBox/Plinth for various reasons:
-#
-#  - Existing network connections before installation of
-#    freedombox-setup
-#
-#  - Connections configured in /etc/network/interfaces
-#
-#  - Connections manually configured using nmtui
-#
-#  - Connections created using GUI environments such as GNOME
-#
-# Rather then clearing out /etc/network/interfaces during setup and
-# expecting the connections not to be created outside of Plinth,
-# setting the default firewall zone is a better approach.  This
-# default zone selection fits with the main purpose of FreedomBox to
-# be a router which is also reflected by the fact that only 'external'
-# and 'internal' zones are managed.
-firewall-cmd --set-default-zone=external
-
-# Setup firewall rules for all the services enabled by default. Ideally all
-# essential services are enabled from Plinth which automatically takes care of
-# enabling appropirate firewall ports.
-
-# HTTP
-firewall-cmd --zone=external --permanent --add-service=http
-firewall-cmd --zone=internal --permanent --add-service=http
-
-# HTTPS
-firewall-cmd --zone=external --permanent --add-service=https
-firewall-cmd --zone=internal --permanent --add-service=https
-
-# DNS
-firewall-cmd --zone=internal --permanent --add-service=dns
-
-# DHCP
-firewall-cmd --zone=internal --permanent --add-service=dhcp
--- a/plinth/modules/firewall/init.py
+++ b/plinth/modules/firewall/init.py
@ -60,6 +60,7 @@ def init():
 def setup(helper, old_version=None):
    """Install and configure the module."""
    helper.install(managed_packages)
+    _run(['setup'], superuser=True)


 def get_enabled_status():