diff --git a/actions/firewall b/actions/firewall index ec65993fd..51d1c5273 100755 --- a/actions/firewall +++ b/actions/firewall @@ -30,6 +30,9 @@ def parse_arguments(): parser = argparse.ArgumentParser() subparsers = parser.add_subparsers(dest='subcommand', help='Sub command') + # Setup + subparsers.add_parser('setup', help='Perform basic firewall setup') + # Get status subparsers.add_parser('get-status', help='Get whether firewalld is running') @@ -61,6 +64,18 @@ def parse_arguments(): return parser.parse_args() +def subcommand_setup(_): + """Perform basic firewalld setup.""" + subprocess.call(['firewall-cmd', '--set-default-zone=external']) + + add_service('external', 'http') + add_service('internal', 'http') + add_service('external', 'https') + add_service('internal', 'https') + add_service('internal', 'dns') + add_service('internal', 'dhcp') + + def subcommand_get_status(_): """Print status of the firewalld service""" subprocess.call(['firewall-cmd', '--state']) @@ -73,11 +88,15 @@ def subcommand_get_enabled_services(arguments): def subcommand_add_service(arguments): - """Permit a service in the firewall""" - subprocess.call(['firewall-cmd', '--zone', arguments.zone, '--add-service', - arguments.service]) - subprocess.call(['firewall-cmd', '--zone', arguments.zone, '--permanent', - '--add-service', arguments.service]) + """Permit a service in the firewall.""" + add_service(arguments.zone, arguments.service) + + +def add_service(zone, service): + """Permit a service in the firewall.""" + subprocess.call(['firewall-cmd', '--zone', zone, '--add-service', service]) + subprocess.call(['firewall-cmd', '--zone', zone, '--permanent', + '--add-service', service]) def subcommand_remove_service(arguments): diff --git a/data/usr/lib/freedombox/first-run.d/90_firewall b/data/usr/lib/freedombox/first-run.d/90_firewall deleted file mode 100755 index dbf4d8577..000000000 --- a/data/usr/lib/freedombox/first-run.d/90_firewall +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh -# -# This file is part of Plinth. -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU Affero General Public License as -# published by the Free Software Foundation, either version 3 of the -# License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Affero General Public License for more details. -# -# You should have received a copy of the GNU Affero General Public License -# along with this program. If not, see . -# - -# Exit with an error code on any failure -set -e - -# Enable tracing to see the commands in -# /var/log/freedombox-first-run.log -set -x - -# Set the default firewall zone. When network connections are -# configured outside of FreedomBox/Plinth, they will not be able to -# serve the Plinth web interface. This is because all such interfaces -# will fall in the default firewall zone and that is, by default, -# 'public'. On 'public' zone we don't allow Plinth web interface as -# this zone is not managed. -# -# Configuration of network connections happen outside for -# FreedomBox/Plinth for various reasons: -# -# - Existing network connections before installation of -# freedombox-setup -# -# - Connections configured in /etc/network/interfaces -# -# - Connections manually configured using nmtui -# -# - Connections created using GUI environments such as GNOME -# -# Rather then clearing out /etc/network/interfaces during setup and -# expecting the connections not to be created outside of Plinth, -# setting the default firewall zone is a better approach. This -# default zone selection fits with the main purpose of FreedomBox to -# be a router which is also reflected by the fact that only 'external' -# and 'internal' zones are managed. -firewall-cmd --set-default-zone=external - -# Setup firewall rules for all the services enabled by default. Ideally all -# essential services are enabled from Plinth which automatically takes care of -# enabling appropirate firewall ports. - -# HTTP -firewall-cmd --zone=external --permanent --add-service=http -firewall-cmd --zone=internal --permanent --add-service=http - -# HTTPS -firewall-cmd --zone=external --permanent --add-service=https -firewall-cmd --zone=internal --permanent --add-service=https - -# DNS -firewall-cmd --zone=internal --permanent --add-service=dns - -# DHCP -firewall-cmd --zone=internal --permanent --add-service=dhcp diff --git a/plinth/modules/firewall/__init__.py b/plinth/modules/firewall/__init__.py index ab42cec23..2b5f7ea08 100644 --- a/plinth/modules/firewall/__init__.py +++ b/plinth/modules/firewall/__init__.py @@ -60,6 +60,7 @@ def init(): def setup(helper, old_version=None): """Install and configure the module.""" helper.install(managed_packages) + _run(['setup'], superuser=True) def get_enabled_status():