mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-03-18 09:10:49 +00:00
f2a4ffe394
Set the default firewall zone. When network connections are configured outside of FreedomBox/Plinth, they will not be able to serve the Plinth web interface. This is because all such interfaces will fall in the default firewall zone and that is, by default, 'public'. On 'public' zone we don't allow Plinth web interface as this zone is not managed. Configuration of network connections happen outside for FreedomBox/Plinth for various reasons: - Existing network connections before installation of freedombox-setup - Connections configured in /etc/network/interfaces - Connections manually configured using nmtui - Connections created using GUI environments such as GNOME Rather then clearing out /etc/network/interfaces during setup and expecting the connections not to be created outside of Plinth, setting the default firewall zone is a better approach. This default zone selection fits with the main purpose of FreedomBox to be a router which is also reflected by the fact that only 'external'
103 lines
3.8 KiB
Bash
Executable File
103 lines
3.8 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This file is part of Plinth.
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
# Enable tracing to see the commands in
|
|
# /var/log/freedombox-first-run.log
|
|
set -x
|
|
|
|
# Set the default firewall zone. When network connections are
|
|
# configured outside of FreedomBox/Plinth, they will not be able to
|
|
# serve the Plinth web interface. This is because all such interfaces
|
|
# will fall in the default firewall zone and that is, by default,
|
|
# 'public'. On 'public' zone we don't allow Plinth web interface as
|
|
# this zone is not managed.
|
|
#
|
|
# Configuration of network connections happen outside for
|
|
# FreedomBox/Plinth for various reasons:
|
|
#
|
|
# - Existing network connections before installation of
|
|
# freedombox-setup
|
|
#
|
|
# - Connections configured in /etc/network/interfaces
|
|
#
|
|
# - Connections manually configured using nmtui
|
|
#
|
|
# - Connections created using GUI environments such as GNOME
|
|
#
|
|
# Rather then clearing out /etc/network/interfaces during setup and
|
|
# expecting the connections not to be created outside of Plinth,
|
|
# setting the default firewall zone is a better approach. This
|
|
# default zone selection fits with the main purpose of FreedomBox to
|
|
# be a router which is also reflected by the fact that only 'external'
|
|
# and 'internal' zones are managed.
|
|
firewall-cmd --set-default-zone=external
|
|
|
|
# Setup firewall rules for all the services enabled by default.
|
|
# Ideally all non-essential services are enabled from Plinth which
|
|
# automatically takes care of enabling appropirate firewall ports. The
|
|
# following is then for essential services and services that are not
|
|
# yet configurable from Plinth.
|
|
|
|
# HTTP (JWChat, ownCloud)
|
|
firewall-cmd --zone=external --permanent --add-service=http
|
|
firewall-cmd --zone=internal --permanent --add-service=http
|
|
|
|
# HTTPS (Plinth, JWChat, ownCloud)
|
|
firewall-cmd --zone=external --permanent --add-service=https
|
|
firewall-cmd --zone=internal --permanent --add-service=https
|
|
|
|
# Tor
|
|
firewall-cmd --zone=internal --permanent --add-service=tor-socks
|
|
|
|
# NTP
|
|
firewall-cmd --zone=internal --permanent --add-service=ntp
|
|
|
|
# DNS
|
|
firewall-cmd --zone=internal --permanent --add-service=dns
|
|
|
|
# mDNS
|
|
firewall-cmd --zone=internal --permanent --add-service=mdns
|
|
|
|
# DHCP
|
|
firewall-cmd --zone=internal --permanent --add-service=dhcp
|
|
|
|
# Bootp Server and Client (not enabled)
|
|
#firewall-cmd --zone=internal --permanent --add-port=67/tcp
|
|
#firewall-cmd --zone=internal --permanent --add-port=67/udp
|
|
#firewall-cmd --zone=internal --permanent --add-port=68/tcp
|
|
#firewall-cmd --zone=internal --permanent --add-port=68/udp
|
|
|
|
# LDAP (not enabled)
|
|
#firewall-cmd --zone=internal --permanent --add-service=ldap
|
|
#firewall-cmd --zone=internal --permanent --add-service=ldaps
|
|
|
|
# OpenVPN (not enabled)
|
|
#firewall-cmd --zone=external --permanent --add-service=openvpn
|
|
#firewall-cmd --zone=internal --permanent --add-service=openvpn
|
|
|
|
# Privoxy
|
|
firewall-cmd --zone=internal --permanent --add-service=privoxy
|
|
|
|
# XMPP
|
|
firewall-cmd --zone=external --permanent --add-service=xmpp-server
|
|
firewall-cmd --zone=internal --permanent --add-service=xmpp-server
|
|
firewall-cmd --zone=external --permanent --add-service=xmpp-client
|
|
firewall-cmd --zone=internal --permanent --add-service=xmpp-client
|
|
firewall-cmd --zone=external --permanent --add-service=xmpp-bosh
|
|
firewall-cmd --zone=internal --permanent --add-service=xmpp-bosh
|