From 142a41319ad6ef2d3d792900ca87152f84640dec Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Mon, 17 Aug 2015 13:17:28 +0100
Subject: [PATCH] Allow icmp for mesh variant

---
 src/freedombone | 71 ++++++++++++++++++++++++++++++++-----------------
 1 file changed, 46 insertions(+), 25 deletions(-)

diff --git a/src/freedombone b/src/freedombone
index 210b2bf0..19095527 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -1505,8 +1505,8 @@ function mesh_cjdns {
       fi
   fi
 
-  ip6tables -A INPUT -i eth0 -p udp --dport $CJDNS_PORT -j ACCEPT
-  ip6tables -A INPUT -i eth0 -p tcp --dport $CJDNS_PORT -j ACCEPT
+  ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
+  ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
   save_firewall_settings
 
   if ! grep -q "Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
@@ -5887,6 +5887,20 @@ function save_firewall_settings {
   chmod +x /etc/network/if-up.d/iptables
 }
 
+function configure_firewall_ping {
+  if grep -Fxq "configure_firewall_ping" $COMPLETION_FILE; then
+      return
+  fi
+  # Only allow ping for mesh installs
+  if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+      return
+  fi
+  iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+  iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+  save_firewall_settings
+  echo 'configure_firewall_ping' >> $COMPLETION_FILE
+}
+
 function configure_firewall_for_voip {
   if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
       return
@@ -5894,8 +5908,8 @@ function configure_firewall_for_voip {
   if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
       return
   fi
-  iptables -A INPUT -i eth0 -p udp --dport $VOIP_PORT -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport $VOIP_PORT -j ACCEPT
+  iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
+  iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
 }
@@ -5967,8 +5981,8 @@ function configure_firewall_for_dlna {
   if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
       return
   fi
-  iptables -A INPUT -i eth0 -p udp --dport 1900 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 8200 -j ACCEPT
+  iptables -A INPUT -p udp --dport 1900 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
 }
@@ -5981,7 +5995,7 @@ function configure_firewall_for_dns {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
+  iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
 }
@@ -5997,9 +6011,9 @@ function configure_firewall_for_xmpp {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport 5222:5223 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 5269 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 5280:5281 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
 }
@@ -6015,9 +6029,9 @@ function configure_firewall_for_irc {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport $IRC_PORT  -j ACCEPT
-  iptables -I INPUT -i eth0 -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 9999 -j ACCEPT
+  iptables -A INPUT -p tcp --dport $IRC_PORT  -j ACCEPT
+  iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
+  iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
 }
@@ -6043,8 +6057,8 @@ function configure_firewall_for_web_access {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_web_access' >> $COMPLETION_FILE
 }
@@ -6057,8 +6071,8 @@ function configure_firewall_for_web_server {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 443 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
 }
@@ -6071,7 +6085,7 @@ function configure_firewall_for_tox {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport $TOX_PORT -j ACCEPT
+  iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
 }
@@ -6084,8 +6098,8 @@ function configure_firewall_for_ssh {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport $SSH_PORT -j ACCEPT
+  iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+  iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_ssh' >> $COMPLETION_FILE
 }
@@ -6098,7 +6112,7 @@ function configure_firewall_for_git {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport 9418 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_git' >> $COMPLETION_FILE
 }
@@ -6114,10 +6128,10 @@ function configure_firewall_for_email {
       # docker does its own firewalling
       return
   fi
-  iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 587 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
-  iptables -A INPUT -i eth0 -p tcp --dport 993 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 25 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 587 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 465 -j ACCEPT
+  iptables -A INPUT -p tcp --dport 993 -j ACCEPT
   save_firewall_settings
   echo 'configure_firewall_for_email' >> $COMPLETION_FILE
 }
@@ -9883,8 +9897,14 @@ function intrusion_detection {
   fi
   # Avoid logging the changed database
   sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
+  # recreate the configuration
   echo '
 
+' | twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt
+  # reset
+  echo '
+
+
 
 ' | reset-tripwire
 
@@ -10241,6 +10261,7 @@ check_domains
 install_not_on_BBB
 remove_default_user
 configure_firewall
+configure_firewall_ping
 configure_firewall_for_ssh
 configure_firewall_for_dns
 configure_firewall_for_ftp