From 3984559fda756708c622e3d8e1254de9666cd744 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Tue, 22 Apr 2014 22:17:18 +0530
Subject: [PATCH] Add a first-run script to be run by freedombox-setup to setup
 initial state of firewall

---
 lib/freedombox/first-run.d/90_firewall | 48 ++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100755 lib/freedombox/first-run.d/90_firewall

diff --git a/lib/freedombox/first-run.d/90_firewall b/lib/freedombox/first-run.d/90_firewall
new file mode 100755
index 000000000..dadd7fe74
--- /dev/null
+++ b/lib/freedombox/first-run.d/90_firewall
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# Setup firewall rules for all the enabled services
+
+# Ideally all non essential services are enabled from Plinth
+# which automatically takes care of enabling appropirate firewall
+# ports. This file is used then for essential services and services
+# that are not yet configurable from Plinth.
+
+# HTTP (JWChat, ownCloud)
+firewall-cmd --permanent --add-service=http
+
+# HTTPS (Plinth, JWChat, ownCloud)
+firewall-cmd --permanent --add-service=https
+
+# Tor
+firewall-cmd --permanent --add-port=9050/tcp
+
+# NTP
+firewall-cmd --permanent --add-service=ntp
+
+# DNS
+firewall-cmd --permanent --add-service=dns
+
+# mDNS
+firewall-cmd --permanent --add-service=mdns
+
+# DHCP
+firewall-cmd --permanent --add-service=dhcp
+
+# Bootp Server and Client (not enabled)
+#firewall-cmd --permanent --add-port=67/tcp
+#firewall-cmd --permanent --add-port=67/udp
+#firewall-cmd --permanent --add-port=68/tcp
+#firewall-cmd --permanent --add-port=68/udp
+
+# LDAP (not enabled)
+#firewall-cmd --permanent --add-service=ldap
+#firewall-cmd --permanent --add-service=ldaps
+
+# OpenVPN (not enabled)
+#firewall-cmd --permanent --add-service=openvpn
+
+# Privoxy
+firewall-cmd --permanent --add-port=8118/tcp
+
+# Obfsproxy
+firewall-cmd --permanent --add-port=40202/tcp