From bc76f9237fdbbd5f49197146cc00544df8bd908e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 3 Jul 2016 18:52:57 +0100 Subject: [PATCH] Move firewall functions into app scripts --- src/freedombone-app-babel | 15 + src/freedombone-app-batman | 13 + src/freedombone-app-cjdns | 721 +++++++++++++++++---------------- src/freedombone-app-dlna | 21 + src/freedombone-app-email | 28 ++ src/freedombone-app-ipfs | 21 + src/freedombone-app-irc | 23 ++ src/freedombone-app-mumble | 19 + src/freedombone-app-sip | 44 ++ src/freedombone-app-syncthing | 13 + src/freedombone-app-tox | 19 + src/freedombone-app-xmpp | 26 ++ src/freedombone-app-zeronet | 20 + src/freedombone-utils-firewall | 273 ------------- 14 files changed, 631 insertions(+), 625 deletions(-) diff --git a/src/freedombone-app-babel b/src/freedombone-app-babel index 9b86c23a..b39e3548 100755 --- a/src/freedombone-app-babel +++ b/src/freedombone-app-babel @@ -32,6 +32,21 @@ ENABLE_BABEL="no" BABEL_PORT=6696 +function configure_firewall_for_babel { + if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_BABEL != "yes" ]]; then + return + fi + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Babel $BABEL_PORT") + echo 'configure_firewall_for_babel' >> $COMPLETION_FILE +} + function mesh_babel { if grep -Fxq "mesh_babel" $COMPLETION_FILE; then return diff --git a/src/freedombone-app-batman b/src/freedombone-app-batman index 39bb4f06..c159f178 100755 --- a/src/freedombone-app-batman +++ b/src/freedombone-app-batman @@ -32,6 +32,19 @@ ENABLE_BATMAN="no" BATMAN_CELLID='any' +function configure_firewall_for_batman { + if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_BATMAN != "yes" ]]; then + return + fi + + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_for_batman' >> $COMPLETION_FILE +} + function mesh_batman { if grep -Fxq "mesh_batman" $COMPLETION_FILE; then return diff --git a/src/freedombone-app-cjdns b/src/freedombone-app-cjdns index a4111e0b..ed54bca9 100755 --- a/src/freedombone-app-cjdns +++ b/src/freedombone-app-cjdns @@ -40,408 +40,425 @@ CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca' CJDCMD_REPO="https://github.com/inhies/cjdcmd" CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808' +function configure_firewall_for_cjdns { + if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_CJDNS != "yes" ]]; then + return + fi + ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE + ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE +} + function get_cjdns_public_key { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns public key" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PUBLIC_KEY ]; then - CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns public key" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PUBLIC_KEY ]; then + CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi } function get_cjdns_private_key { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns private key" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PRIVATE_KEY ]; then - CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns private key" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PRIVATE_KEY ]; then + CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi } function get_cjdns_ipv6_address { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_IPV6 ]; then - CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_IPV6 ]; then + CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi } function get_cjdns_port { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns port" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PORT ]; then - CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns port" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PORT ]; then + CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi } function get_cjdns_password { - if [ -f /home/$MY_USERNAME/README ]; then - if grep -q "cjdns password" /home/$MY_USERNAME/README; then - if [ ! $CJDNS_PASSWORD ]; then - CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//') - fi - fi - fi + if [ -f /home/$MY_USERNAME/README ]; then + if grep -q "cjdns password" /home/$MY_USERNAME/README; then + if [ ! $CJDNS_PASSWORD ]; then + CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//') + fi + fi + fi } function mesh_cjdns { - if [[ $ENABLE_CJDNS != "yes" ]]; then - return - fi + if [[ $ENABLE_CJDNS != "yes" ]]; then + return + fi - # update to the next commit - function_check set_repo_commit - set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO + # update to the next commit + function_check set_repo_commit + set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO - if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then - return - fi + if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then + return + fi - apt-get -y install nodejs git build-essential nmap + apt-get -y install nodejs git build-essential nmap - # if a README exists then obtain the cjdns parameters - function_check get_cjdns_ipv6_address - get_cjdns_ipv6_address + # if a README exists then obtain the cjdns parameters + function_check get_cjdns_ipv6_address + get_cjdns_ipv6_address - function_check get_cjdns_public_key - get_cjdns_public_key + function_check get_cjdns_public_key + get_cjdns_public_key - function_check get_cjdns_private_key - get_cjdns_private_key + function_check get_cjdns_private_key + get_cjdns_private_key - function_check get_cjdns_port - get_cjdns_port + function_check get_cjdns_port + get_cjdns_port - function_check get_cjdns_password - get_cjdns_password + function_check get_cjdns_password + get_cjdns_password - # special compile settings for running ./do on the Beaglebone Black - if [[ $INSTALLING_ON_BBB == "yes" ]]; then - CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized" - export LDFLAGS="$CFLAGS" - fi + # special compile settings for running ./do on the Beaglebone Black + if [[ $INSTALLING_ON_BBB == "yes" ]]; then + CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized" + export LDFLAGS="$CFLAGS" + fi - if [ ! -d /etc/cjdns ]; then - function_check git_pull - git_clone $CJDNS_REPO /etc/cjdns - cd /etc/cjdns + if [ ! -d /etc/cjdns ]; then + function_check git_pull + git_clone $CJDNS_REPO /etc/cjdns + cd /etc/cjdns - git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT - if ! grep -q "cjdns commit" $COMPLETION_FILE; then - echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE - else - sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE - fi + git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT + if ! grep -q "cjdns commit" $COMPLETION_FILE; then + echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE + else + sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE + fi - ./do - if [ ! "$?" = "0" ]; then - exit 7439 - fi - # create a configuration - if [ ! -f /etc/cjdns/cjdroute.conf ]; then - ./cjdroute --genconf > /etc/cjdns/cjdroute.conf - if [ ! "$?" = "0" ]; then - exit 5922 - fi - fi - # create a user to run as - useradd cjdns - else - cd /etc/cjdns - function_check git_pull - git_pull $CJDNS_REPO - ./do - if [ ! "$?" = "0" ]; then - exit 9926 - fi - fi + ./do + if [ ! "$?" = "0" ]; then + exit 7439 + fi + # create a configuration + if [ ! -f /etc/cjdns/cjdroute.conf ]; then + ./cjdroute --genconf > /etc/cjdns/cjdroute.conf + if [ ! "$?" = "0" ]; then + exit 5922 + fi + fi + # create a user to run as + useradd cjdns + else + cd /etc/cjdns + function_check git_pull + git_pull $CJDNS_REPO + ./do + if [ ! "$?" = "0" ]; then + exit 9926 + fi + fi - # set permissions - chown -R cjdns:cjdns /etc/cjdns - chmod 600 /etc/cjdns/cjdroute.conf + # set permissions + chown -R cjdns:cjdns /etc/cjdns + chmod 600 /etc/cjdns/cjdroute.conf - /sbin/ip tuntap add mode tun user cjdns dev cjdroute0 + /sbin/ip tuntap add mode tun user cjdns dev cjdroute0 - # insert values into the configuration file - if [ $CJDNS_PRIVATE_KEY ]; then - sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_PUBLIC_KEY ]; then - sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_IPV6 ]; then - sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_PASSWORD ]; then - sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p) - fi - if [ $CJDNS_PORT ]; then - sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf - else - CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p) - fi + # insert values into the configuration file + if [ $CJDNS_PRIVATE_KEY ]; then + sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_PUBLIC_KEY ]; then + sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_IPV6 ]; then + sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_PASSWORD ]; then + sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p) + fi + if [ $CJDNS_PORT ]; then + sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf + else + CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p) + fi - function_check enable_ipv6 - enable_ipv6 + function_check enable_ipv6 + enable_ipv6 - echo '#!/bin/sh -e' > /etc/init.d/cjdns - echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns - echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns - echo '# Provides: cjdroute' >> /etc/init.d/cjdns - echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns - echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns - echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns - echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns - echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns - echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns - echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns - echo '### END INIT INFO' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'PROG="cjdroute"' >> /etc/init.d/cjdns - echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns - echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns - echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns - echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns - echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'start() {' >> /etc/init.d/cjdns - echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns - echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns - echo ' then' >> /etc/init.d/cjdns - echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns - echo ' else' >> /etc/init.d/cjdns - echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns - echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns - echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns - echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns - echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns - echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns - echo ' fi' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'stop() {' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns - echo ' then' >> /etc/init.d/cjdns - echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns - echo ' else' >> /etc/init.d/cjdns - echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns - echo ' killall cjdroute' >> /etc/init.d/cjdns - echo ' fi' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'status() {' >> /etc/init.d/cjdns - echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns - echo ' then' >> /etc/init.d/cjdns - echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns - echo ' else' >> /etc/init.d/cjdns - echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns - echo ' fi' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo ' update() {' >> /etc/init.d/cjdns - echo ' cd $GIT_PATH' >> /etc/init.d/cjdns - echo ' echo "Updating..."' >> /etc/init.d/cjdns - echo ' git pull' >> /etc/init.d/cjdns - echo ' ./do' >> /etc/init.d/cjdns - echo '}' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns - echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns - echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns - echo ' exit 1' >> /etc/init.d/cjdns - echo 'fi' >> /etc/init.d/cjdns - echo '' >> /etc/init.d/cjdns - echo 'case $1 in' >> /etc/init.d/cjdns - echo ' start)' >> /etc/init.d/cjdns - echo ' start' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' stop)' >> /etc/init.d/cjdns - echo ' stop' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns - echo ' stop' >> /etc/init.d/cjdns - echo ' sleep 1' >> /etc/init.d/cjdns - echo ' start' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' status)' >> /etc/init.d/cjdns - echo ' status' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' update|upgrade)' >> /etc/init.d/cjdns - echo ' update' >> /etc/init.d/cjdns - echo ' stop' >> /etc/init.d/cjdns - echo ' sleep 2' >> /etc/init.d/cjdns - echo ' start' >> /etc/init.d/cjdns - echo ' exit 0' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo ' **)' >> /etc/init.d/cjdns - echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns - echo ' exit 1' >> /etc/init.d/cjdns - echo ' ;;' >> /etc/init.d/cjdns - echo 'esac' >> /etc/init.d/cjdns - chmod +x /etc/init.d/cjdns - update-rc.d cjdns defaults - service cjdns start - if [ ! "$?" = "0" ]; then - systemctl status cjdns.service - exit 8260 - fi + echo '#!/bin/sh -e' > /etc/init.d/cjdns + echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns + echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns + echo '# Provides: cjdroute' >> /etc/init.d/cjdns + echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns + echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns + echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns + echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns + echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns + echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns + echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns + echo '### END INIT INFO' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'PROG="cjdroute"' >> /etc/init.d/cjdns + echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns + echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns + echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns + echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns + echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'start() {' >> /etc/init.d/cjdns + echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns + echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns + echo ' then' >> /etc/init.d/cjdns + echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns + echo ' else' >> /etc/init.d/cjdns + echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns + echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns + echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns + echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns + echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns + echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns + echo ' fi' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'stop() {' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns + echo ' then' >> /etc/init.d/cjdns + echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns + echo ' else' >> /etc/init.d/cjdns + echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns + echo ' killall cjdroute' >> /etc/init.d/cjdns + echo ' fi' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'status() {' >> /etc/init.d/cjdns + echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns + echo ' then' >> /etc/init.d/cjdns + echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns + echo ' else' >> /etc/init.d/cjdns + echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns + echo ' fi' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo ' update() {' >> /etc/init.d/cjdns + echo ' cd $GIT_PATH' >> /etc/init.d/cjdns + echo ' echo "Updating..."' >> /etc/init.d/cjdns + echo ' git pull' >> /etc/init.d/cjdns + echo ' ./do' >> /etc/init.d/cjdns + echo '}' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns + echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns + echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns + echo ' exit 1' >> /etc/init.d/cjdns + echo 'fi' >> /etc/init.d/cjdns + echo '' >> /etc/init.d/cjdns + echo 'case $1 in' >> /etc/init.d/cjdns + echo ' start)' >> /etc/init.d/cjdns + echo ' start' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' stop)' >> /etc/init.d/cjdns + echo ' stop' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns + echo ' stop' >> /etc/init.d/cjdns + echo ' sleep 1' >> /etc/init.d/cjdns + echo ' start' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' status)' >> /etc/init.d/cjdns + echo ' status' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' update|upgrade)' >> /etc/init.d/cjdns + echo ' update' >> /etc/init.d/cjdns + echo ' stop' >> /etc/init.d/cjdns + echo ' sleep 2' >> /etc/init.d/cjdns + echo ' start' >> /etc/init.d/cjdns + echo ' exit 0' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo ' **)' >> /etc/init.d/cjdns + echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns + echo ' exit 1' >> /etc/init.d/cjdns + echo ' ;;' >> /etc/init.d/cjdns + echo 'esac' >> /etc/init.d/cjdns + chmod +x /etc/init.d/cjdns + update-rc.d cjdns defaults + service cjdns start + if [ ! "$?" = "0" ]; then + systemctl status cjdns.service + exit 8260 + fi - apt-get -y install radvd - echo 'interface eth0' > /etc/radvd.conf - echo '{' >> /etc/radvd.conf - echo ' AdvSendAdvert on;' >> /etc/radvd.conf - echo ' prefix fdfc::1/64' >> /etc/radvd.conf - echo ' {' >> /etc/radvd.conf - echo ' AdvRouterAddr on;' >> /etc/radvd.conf - echo ' };' >> /etc/radvd.conf - echo '};' >> /etc/radvd.conf - systemctl restart radvd - if [ ! "$?" = "0" ]; then - systemctl status radvd.service - exit 4395 - fi + apt-get -y install radvd + echo 'interface eth0' > /etc/radvd.conf + echo '{' >> /etc/radvd.conf + echo ' AdvSendAdvert on;' >> /etc/radvd.conf + echo ' prefix fdfc::1/64' >> /etc/radvd.conf + echo ' {' >> /etc/radvd.conf + echo ' AdvRouterAddr on;' >> /etc/radvd.conf + echo ' };' >> /etc/radvd.conf + echo '};' >> /etc/radvd.conf + systemctl restart radvd + if [ ! "$?" = "0" ]; then + systemctl status radvd.service + exit 4395 + fi - if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then - echo '' >> /etc/network/interfaces - echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces - echo 'iface eth0 inet6 static' >> /etc/network/interfaces - echo ' pre-up modprobe ipv6' >> /etc/network/interfaces - echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces - echo ' netmask 64' >> /etc/network/interfaces - service network-manager restart - if [ ! "$?" = "0" ]; then - systemctl status networking.service - exit 6949 - fi - fi + if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then + echo '' >> /etc/network/interfaces + echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces + echo 'iface eth0 inet6 static' >> /etc/network/interfaces + echo ' pre-up modprobe ipv6' >> /etc/network/interfaces + echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces + echo ' netmask 64' >> /etc/network/interfaces + service network-manager restart + if [ ! "$?" = "0" ]; then + systemctl status networking.service + exit 6949 + fi + fi - ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT - ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT + ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT + ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT - function_ckeck save_firewall_settings - save_firewall_settings + function_ckeck save_firewall_settings + save_firewall_settings - if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then - CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}') + if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then + CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}') - echo '' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README - echo '=======================' >> /home/$MY_USERNAME/README - echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README - echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README - echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README - echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README - echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README - echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README - echo $'to you using your default password' >> /home/$MY_USERNAME/README - echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README - echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README - echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README - echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README - echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README - echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README - echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README - echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README - echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README - echo $'each password is for.' >> /home/$MY_USERNAME/README - echo '' >> /home/$MY_USERNAME/README - echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README - echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README - echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README - chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README - chmod 600 /home/$MY_USERNAME/README - fi + echo '' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README + echo '=======================' >> /home/$MY_USERNAME/README + echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README + echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README + echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README + echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README + echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README + echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README + echo $'to you using your default password' >> /home/$MY_USERNAME/README + echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README + echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README + echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README + echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README + echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README + echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README + echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README + echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README + echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README + echo $'each password is for.' >> /home/$MY_USERNAME/README + echo '' >> /home/$MY_USERNAME/README + echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README + echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README + echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README + chmod 600 /home/$MY_USERNAME/README + fi - echo 'mesh_cjdns' >> $COMPLETION_FILE + function_check configure_firewall_for_cjdns + configure_firewall_for_cjdns + + echo 'mesh_cjdns' >> $COMPLETION_FILE } function mesh_cjdns_tools { - if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_CJDNS != "yes" ]]; then - return - fi - if [ ! -d /etc/cjdns ]; then - mesh_cjdns - fi + if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then + return + fi + if [[ $ENABLE_CJDNS != "yes" ]]; then + return + fi + if [ ! -d /etc/cjdns ]; then + mesh_cjdns + fi - function_check select_go_version - select_go_version + function_check select_go_version + select_go_version - apt-get -y install golang mercurial - if [ ! -f ~/.bashrc ]; then - touch ~/.bashrc - fi + apt-get -y install golang mercurial + if [ ! -f ~/.bashrc ]; then + touch ~/.bashrc + fi - if [ ! -d /home/git ]; then - # add a gogs user account - adduser --disabled-login --gecos 'Gogs' git + if [ ! -d /home/git ]; then + # add a gogs user account + adduser --disabled-login --gecos 'Gogs' git - # install Go - if ! grep -q "export GOPATH=" ~/.bashrc; then - echo "export GOPATH=$GOPATH" >> ~/.bashrc - fi - systemctl set-environment GOPATH=$GOPATH - if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then - echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc - fi - if [ ! -d $GOPATH ]; then - mkdir -p $GOPATH - fi - fi + # install Go + if ! grep -q "export GOPATH=" ~/.bashrc; then + echo "export GOPATH=$GOPATH" >> ~/.bashrc + fi + systemctl set-environment GOPATH=$GOPATH + if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then + echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc + fi + if [ ! -d $GOPATH ]; then + mkdir -p $GOPATH + fi + fi - if ! grep -q "export GOPATH=" ~/.bashrc; then - echo "export GOPATH=$GOPATH" >> ~/.bashrc - fi - expected_go_path='export PATH=$PATH:'${GOPATH}'/bin' - export PATH=$PATH:${GOPATH}/bin - if ! grep -q "$expected_go_path" ~/.bashrc; then - echo "$expected_go_path" >> ~/.bashrc - fi - export PATH=$PATH:$GOPATH/bin - CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g') - go get $CJDCMD_REPO2 - if [ ! -f $GOPATH/bin/cjdcmd ]; then - echo $'cjdcmd was not compiled. Check your golang installation' - exit 7439 - fi - cp $GOPATH/bin/cjdcmd /usr/bin + if ! grep -q "export GOPATH=" ~/.bashrc; then + echo "export GOPATH=$GOPATH" >> ~/.bashrc + fi + expected_go_path='export PATH=$PATH:'${GOPATH}'/bin' + export PATH=$PATH:${GOPATH}/bin + if ! grep -q "$expected_go_path" ~/.bashrc; then + echo "$expected_go_path" >> ~/.bashrc + fi + export PATH=$PATH:$GOPATH/bin + CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g') + go get $CJDCMD_REPO2 + if [ ! -f $GOPATH/bin/cjdcmd ]; then + echo $'cjdcmd was not compiled. Check your golang installation' + exit 7439 + fi + cp $GOPATH/bin/cjdcmd /usr/bin - # initialise from the cjdns config - /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf + # initialise from the cjdns config + /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf - echo 'mesh_cjdns_tools' >> $COMPLETION_FILE + echo 'mesh_cjdns_tools' >> $COMPLETION_FILE } # NOTE: deliberately no exit 0 diff --git a/src/freedombone-app-dlna b/src/freedombone-app-dlna index d0d2a875..52e93b4d 100755 --- a/src/freedombone-app-dlna +++ b/src/freedombone-app-dlna @@ -28,6 +28,27 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +function configure_firewall_for_dlna { + if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then + return + fi + iptables -A INPUT -p udp --dport 1900 -j ACCEPT + iptables -A INPUT -p tcp --dport 8200 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('DLNA 1900') + OPEN_PORTS+=('DLNA 8200') + echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE +} + function install_dlna_server { if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then return diff --git a/src/freedombone-app-email b/src/freedombone-app-email index ff1a2cc4..46ed1fb8 100755 --- a/src/freedombone-app-email +++ b/src/freedombone-app-email @@ -78,6 +78,34 @@ GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738' # refresh gpg keys every few hours REFRESH_GPG_KEYS_HOURS=2 +function configure_firewall_for_email { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 25 -j ACCEPT + iptables -A INPUT -p tcp --dport 587 -j ACCEPT + iptables -A INPUT -p tcp --dport 465 -j ACCEPT + iptables -A INPUT -p tcp --dport 993 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('Email 25') + OPEN_PORTS+=('Email 587') + OPEN_PORTS+=('Email 465') + OPEN_PORTS+=('Email 993') + echo 'configure_firewall_for_email' >> $COMPLETION_FILE +} + function encrypt_incoming_email { # encrypts incoming mail using your GPG public key # so even if an attacker gains access to the data at rest they still need diff --git a/src/freedombone-app-ipfs b/src/freedombone-app-ipfs index b564cf28..3037e6a0 100755 --- a/src/freedombone-app-ipfs +++ b/src/freedombone-app-ipfs @@ -32,6 +32,24 @@ IPFS_GO_REPO="https://github.com/ipfs/go-ipfs" IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166' IPFS_PORT=4001 +function configure_firewall_for_ipfs { + if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("IPFS $IPFS_PORT") + echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE +} + function install_ipfs { if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then return @@ -163,5 +181,8 @@ function install_ipfs { rm /tmp/ipfsid fi + function_check configure_firewall_for_ipfs + configure_firewall_for_ipfs + echo 'install_ipfs' >> $COMPLETION_FILE } diff --git a/src/freedombone-app-irc b/src/freedombone-app-irc index 8aff263e..6d9e5082 100755 --- a/src/freedombone-app-irc +++ b/src/freedombone-app-irc @@ -34,6 +34,29 @@ IRC_ONION_PORT=6697 # An optional password to log into IRC. This applies to all users IRC_PASSWORD= +function configure_firewall_for_irc { + if [ ! -d /etc/ngircd ]; then + return + fi + if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT + iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("IRC $IRC_PORT") + echo 'configure_firewall_for_irc' >> $COMPLETION_FILE +} + function install_irc_server { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then return diff --git a/src/freedombone-app-mumble b/src/freedombone-app-mumble index 0428cb63..038ae22e 100755 --- a/src/freedombone-app-mumble +++ b/src/freedombone-app-mumble @@ -53,6 +53,25 @@ function get_voip_server_password { fi } +function configure_firewall_for_voip { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Mumble $VOIP_PORT") + echo 'configure_firewall_for_voip' >> $COMPLETION_FILE +} + function install_mumble { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then return diff --git a/src/freedombone-app-sip b/src/freedombone-app-sip index 312b7436..10f7b305 100755 --- a/src/freedombone-app-sip +++ b/src/freedombone-app-sip @@ -35,6 +35,50 @@ VOIP_TURN_PORT=3478 VOIP_TURN_TLS_PORT=5349 VOIP_TURN_NONCE= +function configure_firewall_for_voip_turn { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("TURN $VOIP_TURN_PORT") + OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT") + echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE +} + + +function configure_firewall_for_sip4 { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT + iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("SIP $SIP_PORT") + OPEN_PORTS+=("SIP TLS $SIP_TLS_PORT") + echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE +} + function get_sip_server_password { if [ -f /home/$MY_USERNAME/README ]; then if grep -q "SIP server password" /home/$MY_USERNAME/README; then diff --git a/src/freedombone-app-syncthing b/src/freedombone-app-syncthing index 2ac4dd15..2fb19b29 100755 --- a/src/freedombone-app-syncthing +++ b/src/freedombone-app-syncthing @@ -37,6 +37,19 @@ SYNCTHING_PORT=22000 SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared SYNCTHING_USER_IDS_FILE='.syncthingids' +function configure_firewall_for_syncthing { + if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then + return + fi + iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Syncthing $SYNCTHING_PORT") + echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE +} + function install_syncthing { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then return diff --git a/src/freedombone-app-tox b/src/freedombone-app-tox index e6bdff93..d8c3f14e 100755 --- a/src/freedombone-app-tox +++ b/src/freedombone-app-tox @@ -44,6 +44,25 @@ TOXIC_REPO="https://github.com/Tox/toxic" TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2' TOXIC_FILE=/usr/local/bin/toxic +function configure_firewall_for_tox { + if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("Tox $TOX_PORT") + echo 'configure_firewall_for_tox' >> $COMPLETION_FILE +} + function tox_avahi { if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then return diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index b9c3e0f8..c289e099 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -35,6 +35,32 @@ XMPP_PASSWORD= XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"' XMPP_ECC_CURVE='"secp384r1"' +function configure_firewall_for_xmpp { + if [ ! -d /etc/prosody ]; then + return + fi + if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then + return + fi + if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then + # docker does its own firewalling + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT + iptables -A INPUT -p tcp --dport 5269 -j ACCEPT + iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=('XMPP 5222-5223') + OPEN_PORTS+=('XMPP 5269') + OPEN_PORTS+=('XMPP 5280-5281') + echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE +} + function update_prosody_modules { if [ ! -d $INSTALL_DIR/prosody-modules ]; then return diff --git a/src/freedombone-app-zeronet b/src/freedombone-app-zeronet index 7d149ed3..a3dddd6c 100755 --- a/src/freedombone-app-zeronet +++ b/src/freedombone-app-zeronet @@ -45,6 +45,26 @@ ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh" ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID" ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b' +function configure_firewall_for_zeronet { + if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then + return + fi + if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then + return + fi + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT + iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT + function_check save_firewall_settings + save_firewall_settings + + OPEN_PORTS+=("ZeroNet $ZERONET_PORT") + OPEN_PORTS+=("Tracker $TRACKER_PORT") + echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE +} + function install_zeronet_blog { if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then return diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 118de875..d232989d 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -103,100 +103,6 @@ function configure_firewall_ping { echo 'configure_firewall_ping' >> $COMPLETION_FILE } -function configure_firewall_for_voip { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("Mumble $VOIP_PORT") - echo 'configure_firewall_for_voip' >> $COMPLETION_FILE -} - -function configure_firewall_for_syncthing { - if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then - return - fi - iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("Syncthing $SYNCTHING_PORT") - echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE -} - -function configure_firewall_for_voip_turn { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("TURN $VOIP_TURN_PORT") - OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT") - echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE -} - - -function configure_firewall_for_sip4 { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT - iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT - iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("SIP $SIP_PORT") - OPEN_PORTS+=("SIP TLS $SIP_TLS_PORT") - echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE -} - -function configure_firewall_for_ipfs { - if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("IPFS $IPFS_PORT") - echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE -} - function configure_firewall_for_avahi { if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then return @@ -212,89 +118,6 @@ function configure_firewall_for_avahi { echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE } -function configure_firewall_for_cjdns { - if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_CJDNS != "yes" ]]; then - return - fi - ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE - ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE -} - -function configure_firewall_for_batman { - if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_BATMAN != "yes" ]]; then - return - fi - - function_check save_firewall_settings - save_firewall_settings - echo 'configure_firewall_for_batman' >> $COMPLETION_FILE -} - -function configure_firewall_for_babel { - if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then - return - fi - if [[ $ENABLE_BABEL != "yes" ]]; then - return - fi - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("Babel $BABEL_PORT") - echo 'configure_firewall_for_babel' >> $COMPLETION_FILE -} - -function configure_firewall_for_zeronet { - if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then - return - fi - if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then - return - fi - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT - iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("ZeroNet $ZERONET_PORT") - OPEN_PORTS+=("Tracker $TRACKER_PORT") - echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE -} - -function configure_firewall_for_dlna { - if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then - return - fi - iptables -A INPUT -p udp --dport 1900 -j ACCEPT - iptables -A INPUT -p tcp --dport 8200 -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=('DLNA 1900') - OPEN_PORTS+=('DLNA 8200') - echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE -} - function configure_firewall_for_dns { if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then return @@ -309,55 +132,6 @@ function configure_firewall_for_dns { echo 'configure_firewall_for_dns' >> $COMPLETION_FILE } -function configure_firewall_for_xmpp { - if [ ! -d /etc/prosody ]; then - return - fi - if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT - iptables -A INPUT -p tcp --dport 5269 -j ACCEPT - iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=('XMPP 5222-5223') - OPEN_PORTS+=('XMPP 5269') - OPEN_PORTS+=('XMPP 5280-5281') - echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE -} - -function configure_firewall_for_irc { - if [ ! -d /etc/ngircd ]; then - return - fi - if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT - iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("IRC $IRC_PORT") - echo 'configure_firewall_for_irc' >> $COMPLETION_FILE -} - function configure_firewall_for_web_access { if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then return @@ -398,25 +172,6 @@ function configure_firewall_for_web_server { echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE } -function configure_firewall_for_tox { - if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=("Tox $TOX_PORT") - echo 'configure_firewall_for_tox' >> $COMPLETION_FILE -} - function configure_firewall_for_ssh { if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then return @@ -453,34 +208,6 @@ function configure_firewall_for_git { echo 'configure_firewall_for_git' >> $COMPLETION_FILE } -function configure_firewall_for_email { - if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then - return - fi - if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then - return - fi - if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then - # docker does its own firewalling - return - fi - if [[ $ONION_ONLY != "no" ]]; then - return - fi - iptables -A INPUT -p tcp --dport 25 -j ACCEPT - iptables -A INPUT -p tcp --dport 587 -j ACCEPT - iptables -A INPUT -p tcp --dport 465 -j ACCEPT - iptables -A INPUT -p tcp --dport 993 -j ACCEPT - function_check save_firewall_settings - save_firewall_settings - - OPEN_PORTS+=('Email 25') - OPEN_PORTS+=('Email 587') - OPEN_PORTS+=('Email 465') - OPEN_PORTS+=('Email 993') - echo 'configure_firewall_for_email' >> $COMPLETION_FILE -} - function configure_internet_protocol { if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then return