#!/bin/sh # # This file is part of Plinth. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . # # Enable tracing to see the commands in # /var/log/freedombox-first-run.log set -x # Set the default firewall zone. When network connections are # configured outside of FreedomBox/Plinth, they will not be able to # serve the Plinth web interface. This is because all such interfaces # will fall in the default firewall zone and that is, by default, # 'public'. On 'public' zone we don't allow Plinth web interface as # this zone is not managed. # # Configuration of network connections happen outside for # FreedomBox/Plinth for various reasons: # # - Existing network connections before installation of # freedombox-setup # # - Connections configured in /etc/network/interfaces # # - Connections manually configured using nmtui # # - Connections created using GUI environments such as GNOME # # Rather then clearing out /etc/network/interfaces during setup and # expecting the connections not to be created outside of Plinth, # setting the default firewall zone is a better approach. This # default zone selection fits with the main purpose of FreedomBox to # be a router which is also reflected by the fact that only 'external' # and 'internal' zones are managed. firewall-cmd --set-default-zone=external # Setup firewall rules for all the services enabled by default. # Ideally all non-essential services are enabled from Plinth which # automatically takes care of enabling appropirate firewall ports. The # following is then for essential services and services that are not # yet configurable from Plinth. # HTTP (JWChat, ownCloud) firewall-cmd --zone=external --permanent --add-service=http firewall-cmd --zone=internal --permanent --add-service=http # HTTPS (Plinth, JWChat, ownCloud) firewall-cmd --zone=external --permanent --add-service=https firewall-cmd --zone=internal --permanent --add-service=https # Tor firewall-cmd --zone=internal --permanent --add-service=tor-socks # NTP firewall-cmd --zone=internal --permanent --add-service=ntp # DNS firewall-cmd --zone=internal --permanent --add-service=dns # mDNS firewall-cmd --zone=internal --permanent --add-service=mdns # DHCP firewall-cmd --zone=internal --permanent --add-service=dhcp # Bootp Server and Client (not enabled) #firewall-cmd --zone=internal --permanent --add-port=67/tcp #firewall-cmd --zone=internal --permanent --add-port=67/udp #firewall-cmd --zone=internal --permanent --add-port=68/tcp #firewall-cmd --zone=internal --permanent --add-port=68/udp # LDAP (not enabled) #firewall-cmd --zone=internal --permanent --add-service=ldap #firewall-cmd --zone=internal --permanent --add-service=ldaps # OpenVPN (not enabled) #firewall-cmd --zone=external --permanent --add-service=openvpn #firewall-cmd --zone=internal --permanent --add-service=openvpn # Privoxy firewall-cmd --zone=internal --permanent --add-service=privoxy # XMPP firewall-cmd --zone=external --permanent --add-service=xmpp-server firewall-cmd --zone=internal --permanent --add-service=xmpp-server firewall-cmd --zone=external --permanent --add-service=xmpp-client firewall-cmd --zone=internal --permanent --add-service=xmpp-client firewall-cmd --zone=external --permanent --add-service=xmpp-bosh firewall-cmd --zone=internal --permanent --add-service=xmpp-bosh