From f2a4ffe394b46e35f17820d8f70f83a8baea34e9 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Sun, 29 Nov 2015 19:03:05 +0530 Subject: [PATCH] firewall: Make default zone as 'external' Set the default firewall zone. When network connections are configured outside of FreedomBox/Plinth, they will not be able to serve the Plinth web interface. This is because all such interfaces will fall in the default firewall zone and that is, by default, 'public'. On 'public' zone we don't allow Plinth web interface as this zone is not managed. Configuration of network connections happen outside for FreedomBox/Plinth for various reasons: - Existing network connections before installation of freedombox-setup - Connections configured in /etc/network/interfaces - Connections manually configured using nmtui - Connections created using GUI environments such as GNOME Rather then clearing out /etc/network/interfaces during setup and expecting the connections not to be created outside of Plinth, setting the default firewall zone is a better approach. This default zone selection fits with the main purpose of FreedomBox to be a router which is also reflected by the fact that only 'external' --- .../lib/freedombox/first-run.d/90_firewall | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/data/usr/lib/freedombox/first-run.d/90_firewall b/data/usr/lib/freedombox/first-run.d/90_firewall index b3615dec3..2c1858823 100755 --- a/data/usr/lib/freedombox/first-run.d/90_firewall +++ b/data/usr/lib/freedombox/first-run.d/90_firewall @@ -20,6 +20,33 @@ # /var/log/freedombox-first-run.log set -x +# Set the default firewall zone. When network connections are +# configured outside of FreedomBox/Plinth, they will not be able to +# serve the Plinth web interface. This is because all such interfaces +# will fall in the default firewall zone and that is, by default, +# 'public'. On 'public' zone we don't allow Plinth web interface as +# this zone is not managed. +# +# Configuration of network connections happen outside for +# FreedomBox/Plinth for various reasons: +# +# - Existing network connections before installation of +# freedombox-setup +# +# - Connections configured in /etc/network/interfaces +# +# - Connections manually configured using nmtui +# +# - Connections created using GUI environments such as GNOME +# +# Rather then clearing out /etc/network/interfaces during setup and +# expecting the connections not to be created outside of Plinth, +# setting the default firewall zone is a better approach. This +# default zone selection fits with the main purpose of FreedomBox to +# be a router which is also reflected by the fact that only 'external' +# and 'internal' zones are managed. +firewall-cmd --set-default-zone=external + # Setup firewall rules for all the services enabled by default. # Ideally all non-essential services are enabled from Plinth which # automatically takes care of enabling appropirate firewall ports. The