FreedomBox/data/usr/lib/freedombox/first-run.d/90_firewall

#!/bin/sh
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

# Exit with an error code on any failure
set -e

# Enable tracing to see the commands in
# /var/log/freedombox-first-run.log
set -x

# Set the default firewall zone.  When network connections are
# configured outside of FreedomBox/Plinth, they will not be able to
# serve the Plinth web interface.  This is because all such interfaces
# will fall in the default firewall zone and that is, by default,
# 'public'.  On 'public' zone we don't allow Plinth web interface as
# this zone is not managed.
#
# Configuration of network connections happen outside for
# FreedomBox/Plinth for various reasons:
#
#  - Existing network connections before installation of
#    freedombox-setup
#
#  - Connections configured in /etc/network/interfaces
#
#  - Connections manually configured using nmtui
#
#  - Connections created using GUI environments such as GNOME
#
# Rather then clearing out /etc/network/interfaces during setup and
# expecting the connections not to be created outside of Plinth,
# setting the default firewall zone is a better approach.  This
# default zone selection fits with the main purpose of FreedomBox to
# be a router which is also reflected by the fact that only 'external'
# and 'internal' zones are managed.
firewall-cmd --set-default-zone=external

# Setup firewall rules for all the services enabled by default.
# Ideally all non-essential services are enabled from Plinth which
# automatically takes care of enabling appropirate firewall ports. The
# following is then for essential services and services that are not
# yet configurable from Plinth.

# HTTP (JWChat, ownCloud)
firewall-cmd --zone=external --permanent --add-service=http
firewall-cmd --zone=internal --permanent --add-service=http

# HTTPS (Plinth, JWChat, ownCloud)
firewall-cmd --zone=external --permanent --add-service=https
firewall-cmd --zone=internal --permanent --add-service=https

# Tor
firewall-cmd --zone=internal --permanent --add-service=tor-socks

# NTP
firewall-cmd --zone=internal --permanent --add-service=ntp

# DNS
firewall-cmd --zone=internal --permanent --add-service=dns

# mDNS
firewall-cmd --zone=internal --permanent --add-service=mdns

# DHCP
firewall-cmd --zone=internal --permanent --add-service=dhcp

# Bootp Server and Client (not enabled)
#firewall-cmd --zone=internal --permanent --add-port=67/tcp
#firewall-cmd --zone=internal --permanent --add-port=67/udp
#firewall-cmd --zone=internal --permanent --add-port=68/tcp
#firewall-cmd --zone=internal --permanent --add-port=68/udp

# LDAP (not enabled)
#firewall-cmd --zone=internal --permanent --add-service=ldap
#firewall-cmd --zone=internal --permanent --add-service=ldaps

# OpenVPN (not enabled)
#firewall-cmd --zone=external --permanent --add-service=openvpn
#firewall-cmd --zone=internal --permanent --add-service=openvpn

# Privoxy
firewall-cmd --zone=internal --permanent --add-service=privoxy

# XMPP
firewall-cmd --zone=external --permanent --add-service=xmpp-server
firewall-cmd --zone=internal --permanent --add-service=xmpp-server
firewall-cmd --zone=external --permanent --add-service=xmpp-client
firewall-cmd --zone=internal --permanent --add-service=xmpp-client
firewall-cmd --zone=external --permanent --add-service=xmpp-bosh
firewall-cmd --zone=internal --permanent --add-service=xmpp-bosh