#!/bin/sh # # This file is part of Plinth. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . # # Enable tracing to see the commands in # /var/log/freedombox-first-run.log set -x # Setup interfaces into appropriate zones. XXX: This is ideally done # by network configuration as network configuration tool/scripts have # better idea of what the interfaces are. There should also be a UI in # Plinth to classify each interface as external or internal. # If more than one interfaces is available, assume eth0 is external # and rest are internal interfaces. INTERFACES=$(interface-detect | grep wired | grep -v lo | cut -f1 -d,) NO_OF_INTERFACES=$(echo $INTERFACES | wc --words) if [ $NO_OF_INTERFACES -gt '1' ] then for INTERFACE in $INTERFACES do if [ $INTERFACE = 'eth0' ] then ZONE='external' else ZONE='internal' fi firewall-cmd --zone=$ZONE --permanent --add-interface=$INTERFACE done fi # If only one interface is available, assume it to be internal so that # services are available on this only possible interface. This means # that all services which are meant to available only internally will # be available externally if the interface is publicly accessible. # XXX: To avoid this, FreedomBox should configure at least two # interfaces. If only one network hardware device is available, an # alias such as 'eth0:1' could be created and can act as internal # interface. if [ $NO_OF_INTERFACES -eq '1' ] then firewall-cmd --zone=internal --permanent --add-interface="$INTERFACES" fi # Setup firewall rules for all the services enabled by default. # Ideally all non-essential services are enabled from Plinth which # automatically takes care of enabling appropirate firewall ports. The # following is then for essential services and services that are not # yet configurable from Plinth. # HTTP (JWChat, ownCloud) firewall-cmd --zone=external --permanent --add-service=http firewall-cmd --zone=internal --permanent --add-service=http # HTTPS (Plinth, JWChat, ownCloud) firewall-cmd --zone=external --permanent --add-service=https firewall-cmd --zone=internal --permanent --add-service=https # Tor firewall-cmd --zone=internal --permanent --add-service=tor-socks # NTP firewall-cmd --zone=internal --permanent --add-service=ntp # DNS firewall-cmd --zone=internal --permanent --add-service=dns # mDNS firewall-cmd --zone=internal --permanent --add-service=mdns # DHCP firewall-cmd --zone=internal --permanent --add-service=dhcp # Bootp Server and Client (not enabled) #firewall-cmd --zone=internal --permanent --add-port=67/tcp #firewall-cmd --zone=internal --permanent --add-port=67/udp #firewall-cmd --zone=internal --permanent --add-port=68/tcp #firewall-cmd --zone=internal --permanent --add-port=68/udp # LDAP (not enabled) #firewall-cmd --zone=internal --permanent --add-service=ldap #firewall-cmd --zone=internal --permanent --add-service=ldaps # OpenVPN (not enabled) #firewall-cmd --zone=external --permanent --add-service=openvpn #firewall-cmd --zone=internal --permanent --add-service=openvpn # Privoxy firewall-cmd --zone=internal --permanent --add-service=privoxy # XMPP firewall-cmd --zone=external --permanent --add-service=xmpp-server firewall-cmd --zone=internal --permanent --add-service=xmpp-server firewall-cmd --zone=external --permanent --add-service=xmpp-client firewall-cmd --zone=internal --permanent --add-service=xmpp-client firewall-cmd --zone=external --permanent --add-service=xmpp-bosh firewall-cmd --zone=internal --permanent --add-service=xmpp-bosh