From bc76f9237fdbbd5f49197146cc00544df8bd908e Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Sun, 3 Jul 2016 18:52:57 +0100
Subject: [PATCH] Move firewall functions into app scripts
---
src/freedombone-app-babel | 15 +
src/freedombone-app-batman | 13 +
src/freedombone-app-cjdns | 783 +++++++++++++++++----------------
src/freedombone-app-dlna | 21 +
src/freedombone-app-email | 28 ++
src/freedombone-app-ipfs | 21 +
src/freedombone-app-irc | 23 +
src/freedombone-app-mumble | 19 +
src/freedombone-app-sip | 44 ++
src/freedombone-app-syncthing | 13 +
src/freedombone-app-tox | 19 +
src/freedombone-app-xmpp | 26 ++
src/freedombone-app-zeronet | 20 +
src/freedombone-utils-firewall | 273 ------------
14 files changed, 662 insertions(+), 656 deletions(-)
diff --git a/src/freedombone-app-babel b/src/freedombone-app-babel
index 9b86c23ae..b39e35482 100755
--- a/src/freedombone-app-babel
+++ b/src/freedombone-app-babel
@@ -32,6 +32,21 @@
ENABLE_BABEL="no"
BABEL_PORT=6696
+function configure_firewall_for_babel {
+ if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ENABLE_BABEL != "yes" ]]; then
+ return
+ fi
+ iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("Babel $BABEL_PORT")
+ echo 'configure_firewall_for_babel' >> $COMPLETION_FILE
+}
+
function mesh_babel {
if grep -Fxq "mesh_babel" $COMPLETION_FILE; then
return
diff --git a/src/freedombone-app-batman b/src/freedombone-app-batman
index 39bb4f066..c159f1785 100755
--- a/src/freedombone-app-batman
+++ b/src/freedombone-app-batman
@@ -32,6 +32,19 @@
ENABLE_BATMAN="no"
BATMAN_CELLID='any'
+function configure_firewall_for_batman {
+ if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ENABLE_BATMAN != "yes" ]]; then
+ return
+ fi
+
+ function_check save_firewall_settings
+ save_firewall_settings
+ echo 'configure_firewall_for_batman' >> $COMPLETION_FILE
+}
+
function mesh_batman {
if grep -Fxq "mesh_batman" $COMPLETION_FILE; then
return
diff --git a/src/freedombone-app-cjdns b/src/freedombone-app-cjdns
index a4111e0b6..ed54bca99 100755
--- a/src/freedombone-app-cjdns
+++ b/src/freedombone-app-cjdns
@@ -40,408 +40,425 @@ CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca'
CJDCMD_REPO="https://github.com/inhies/cjdcmd"
CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808'
+function configure_firewall_for_cjdns {
+ if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ENABLE_CJDNS != "yes" ]]; then
+ return
+ fi
+ ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
+ ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+ echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE
+}
+
function get_cjdns_public_key {
- if [ -f /home/$MY_USERNAME/README ]; then
- if grep -q "cjdns public key" /home/$MY_USERNAME/README; then
- if [ ! $CJDNS_PUBLIC_KEY ]; then
- CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//')
- fi
- fi
- fi
+ if [ -f /home/$MY_USERNAME/README ]; then
+ if grep -q "cjdns public key" /home/$MY_USERNAME/README; then
+ if [ ! $CJDNS_PUBLIC_KEY ]; then
+ CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//')
+ fi
+ fi
+ fi
}
function get_cjdns_private_key {
- if [ -f /home/$MY_USERNAME/README ]; then
- if grep -q "cjdns private key" /home/$MY_USERNAME/README; then
- if [ ! $CJDNS_PRIVATE_KEY ]; then
- CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//')
- fi
- fi
- fi
+ if [ -f /home/$MY_USERNAME/README ]; then
+ if grep -q "cjdns private key" /home/$MY_USERNAME/README; then
+ if [ ! $CJDNS_PRIVATE_KEY ]; then
+ CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//')
+ fi
+ fi
+ fi
}
function get_cjdns_ipv6_address {
- if [ -f /home/$MY_USERNAME/README ]; then
- if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then
- if [ ! $CJDNS_IPV6 ]; then
- CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//')
- fi
- fi
- fi
+ if [ -f /home/$MY_USERNAME/README ]; then
+ if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then
+ if [ ! $CJDNS_IPV6 ]; then
+ CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//')
+ fi
+ fi
+ fi
}
function get_cjdns_port {
- if [ -f /home/$MY_USERNAME/README ]; then
- if grep -q "cjdns port" /home/$MY_USERNAME/README; then
- if [ ! $CJDNS_PORT ]; then
- CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//')
- fi
- fi
- fi
+ if [ -f /home/$MY_USERNAME/README ]; then
+ if grep -q "cjdns port" /home/$MY_USERNAME/README; then
+ if [ ! $CJDNS_PORT ]; then
+ CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//')
+ fi
+ fi
+ fi
}
function get_cjdns_password {
- if [ -f /home/$MY_USERNAME/README ]; then
- if grep -q "cjdns password" /home/$MY_USERNAME/README; then
- if [ ! $CJDNS_PASSWORD ]; then
- CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//')
- fi
- fi
- fi
+ if [ -f /home/$MY_USERNAME/README ]; then
+ if grep -q "cjdns password" /home/$MY_USERNAME/README; then
+ if [ ! $CJDNS_PASSWORD ]; then
+ CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+ fi
+ fi
+ fi
}
function mesh_cjdns {
- if [[ $ENABLE_CJDNS != "yes" ]]; then
- return
- fi
-
- # update to the next commit
- function_check set_repo_commit
- set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO
-
- if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then
- return
- fi
-
- apt-get -y install nodejs git build-essential nmap
-
- # if a README exists then obtain the cjdns parameters
- function_check get_cjdns_ipv6_address
- get_cjdns_ipv6_address
-
- function_check get_cjdns_public_key
- get_cjdns_public_key
-
- function_check get_cjdns_private_key
- get_cjdns_private_key
-
- function_check get_cjdns_port
- get_cjdns_port
-
- function_check get_cjdns_password
- get_cjdns_password
-
- # special compile settings for running ./do on the Beaglebone Black
- if [[ $INSTALLING_ON_BBB == "yes" ]]; then
- CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized"
- export LDFLAGS="$CFLAGS"
- fi
-
- if [ ! -d /etc/cjdns ]; then
- function_check git_pull
- git_clone $CJDNS_REPO /etc/cjdns
- cd /etc/cjdns
-
- git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT
- if ! grep -q "cjdns commit" $COMPLETION_FILE; then
- echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE
- else
- sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE
- fi
-
- ./do
- if [ ! "$?" = "0" ]; then
- exit 7439
- fi
- # create a configuration
- if [ ! -f /etc/cjdns/cjdroute.conf ]; then
- ./cjdroute --genconf > /etc/cjdns/cjdroute.conf
- if [ ! "$?" = "0" ]; then
- exit 5922
- fi
- fi
- # create a user to run as
- useradd cjdns
- else
- cd /etc/cjdns
- function_check git_pull
- git_pull $CJDNS_REPO
- ./do
- if [ ! "$?" = "0" ]; then
- exit 9926
- fi
- fi
-
- # set permissions
- chown -R cjdns:cjdns /etc/cjdns
- chmod 600 /etc/cjdns/cjdroute.conf
-
- /sbin/ip tuntap add mode tun user cjdns dev cjdroute0
-
- # insert values into the configuration file
- if [ $CJDNS_PRIVATE_KEY ]; then
- sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf
- else
- CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p)
- fi
- if [ $CJDNS_PUBLIC_KEY ]; then
- sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf
- else
- CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p)
- fi
- if [ $CJDNS_IPV6 ]; then
- sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf
- else
- CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p)
- fi
- if [ $CJDNS_PASSWORD ]; then
- sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf
- else
- CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p)
- fi
- if [ $CJDNS_PORT ]; then
- sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf
- else
- CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p)
- fi
-
- function_check enable_ipv6
- enable_ipv6
-
- echo '#!/bin/sh -e' > /etc/init.d/cjdns
- echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns
- echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns
- echo '# Provides: cjdroute' >> /etc/init.d/cjdns
- echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns
- echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns
- echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns
- echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns
- echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns
- echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns
- echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns
- echo '### END INIT INFO' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo 'PROG="cjdroute"' >> /etc/init.d/cjdns
- echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
- echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
- echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns
- echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns
- echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo 'start() {' >> /etc/init.d/cjdns
- echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns
- echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
- echo ' then' >> /etc/init.d/cjdns
- echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns
- echo ' else' >> /etc/init.d/cjdns
- echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns
- echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns
- echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns
- echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns
- echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns
- echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns
- echo ' fi' >> /etc/init.d/cjdns
- echo '}' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo 'stop() {' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns
- echo ' then' >> /etc/init.d/cjdns
- echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns
- echo ' else' >> /etc/init.d/cjdns
- echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns
- echo ' killall cjdroute' >> /etc/init.d/cjdns
- echo ' fi' >> /etc/init.d/cjdns
- echo '}' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo 'status() {' >> /etc/init.d/cjdns
- echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
- echo ' then' >> /etc/init.d/cjdns
- echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns
- echo ' else' >> /etc/init.d/cjdns
- echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns
- echo ' fi' >> /etc/init.d/cjdns
- echo '}' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo ' update() {' >> /etc/init.d/cjdns
- echo ' cd $GIT_PATH' >> /etc/init.d/cjdns
- echo ' echo "Updating..."' >> /etc/init.d/cjdns
- echo ' git pull' >> /etc/init.d/cjdns
- echo ' ./do' >> /etc/init.d/cjdns
- echo '}' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns
- echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns
- echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns
- echo ' exit 1' >> /etc/init.d/cjdns
- echo 'fi' >> /etc/init.d/cjdns
- echo '' >> /etc/init.d/cjdns
- echo 'case $1 in' >> /etc/init.d/cjdns
- echo ' start)' >> /etc/init.d/cjdns
- echo ' start' >> /etc/init.d/cjdns
- echo ' exit 0' >> /etc/init.d/cjdns
- echo ' ;;' >> /etc/init.d/cjdns
- echo ' stop)' >> /etc/init.d/cjdns
- echo ' stop' >> /etc/init.d/cjdns
- echo ' exit 0' >> /etc/init.d/cjdns
- echo ' ;;' >> /etc/init.d/cjdns
- echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns
- echo ' stop' >> /etc/init.d/cjdns
- echo ' sleep 1' >> /etc/init.d/cjdns
- echo ' start' >> /etc/init.d/cjdns
- echo ' exit 0' >> /etc/init.d/cjdns
- echo ' ;;' >> /etc/init.d/cjdns
- echo ' status)' >> /etc/init.d/cjdns
- echo ' status' >> /etc/init.d/cjdns
- echo ' exit 0' >> /etc/init.d/cjdns
- echo ' ;;' >> /etc/init.d/cjdns
- echo ' update|upgrade)' >> /etc/init.d/cjdns
- echo ' update' >> /etc/init.d/cjdns
- echo ' stop' >> /etc/init.d/cjdns
- echo ' sleep 2' >> /etc/init.d/cjdns
- echo ' start' >> /etc/init.d/cjdns
- echo ' exit 0' >> /etc/init.d/cjdns
- echo ' ;;' >> /etc/init.d/cjdns
- echo ' **)' >> /etc/init.d/cjdns
- echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns
- echo ' exit 1' >> /etc/init.d/cjdns
- echo ' ;;' >> /etc/init.d/cjdns
- echo 'esac' >> /etc/init.d/cjdns
- chmod +x /etc/init.d/cjdns
- update-rc.d cjdns defaults
- service cjdns start
- if [ ! "$?" = "0" ]; then
- systemctl status cjdns.service
- exit 8260
- fi
-
- apt-get -y install radvd
- echo 'interface eth0' > /etc/radvd.conf
- echo '{' >> /etc/radvd.conf
- echo ' AdvSendAdvert on;' >> /etc/radvd.conf
- echo ' prefix fdfc::1/64' >> /etc/radvd.conf
- echo ' {' >> /etc/radvd.conf
- echo ' AdvRouterAddr on;' >> /etc/radvd.conf
- echo ' };' >> /etc/radvd.conf
- echo '};' >> /etc/radvd.conf
- systemctl restart radvd
- if [ ! "$?" = "0" ]; then
- systemctl status radvd.service
- exit 4395
- fi
-
- if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then
- echo '' >> /etc/network/interfaces
- echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces
- echo 'iface eth0 inet6 static' >> /etc/network/interfaces
- echo ' pre-up modprobe ipv6' >> /etc/network/interfaces
- echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces
- echo ' netmask 64' >> /etc/network/interfaces
- service network-manager restart
- if [ ! "$?" = "0" ]; then
- systemctl status networking.service
- exit 6949
- fi
- fi
-
- ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
- ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
-
- function_ckeck save_firewall_settings
- save_firewall_settings
-
- if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
- CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}')
-
- echo '' >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README
- echo '=======================' >> /home/$MY_USERNAME/README
- echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README
- echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README
- echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README
- echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README
- echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README
- echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README
- echo $'to you using your default password' >> /home/$MY_USERNAME/README
- echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README
- echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README
- echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README
- echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README
- echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README
- echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README
- echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README
- echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README
- echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README
- echo $'each password is for.' >> /home/$MY_USERNAME/README
- echo '' >> /home/$MY_USERNAME/README
- echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README
- echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README
- echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README
- chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
- chmod 600 /home/$MY_USERNAME/README
- fi
-
- echo 'mesh_cjdns' >> $COMPLETION_FILE
+ if [[ $ENABLE_CJDNS != "yes" ]]; then
+ return
+ fi
+
+ # update to the next commit
+ function_check set_repo_commit
+ set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO
+
+ if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then
+ return
+ fi
+
+ apt-get -y install nodejs git build-essential nmap
+
+ # if a README exists then obtain the cjdns parameters
+ function_check get_cjdns_ipv6_address
+ get_cjdns_ipv6_address
+
+ function_check get_cjdns_public_key
+ get_cjdns_public_key
+
+ function_check get_cjdns_private_key
+ get_cjdns_private_key
+
+ function_check get_cjdns_port
+ get_cjdns_port
+
+ function_check get_cjdns_password
+ get_cjdns_password
+
+ # special compile settings for running ./do on the Beaglebone Black
+ if [[ $INSTALLING_ON_BBB == "yes" ]]; then
+ CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized"
+ export LDFLAGS="$CFLAGS"
+ fi
+
+ if [ ! -d /etc/cjdns ]; then
+ function_check git_pull
+ git_clone $CJDNS_REPO /etc/cjdns
+ cd /etc/cjdns
+
+ git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT
+ if ! grep -q "cjdns commit" $COMPLETION_FILE; then
+ echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE
+ else
+ sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE
+ fi
+
+ ./do
+ if [ ! "$?" = "0" ]; then
+ exit 7439
+ fi
+ # create a configuration
+ if [ ! -f /etc/cjdns/cjdroute.conf ]; then
+ ./cjdroute --genconf > /etc/cjdns/cjdroute.conf
+ if [ ! "$?" = "0" ]; then
+ exit 5922
+ fi
+ fi
+ # create a user to run as
+ useradd cjdns
+ else
+ cd /etc/cjdns
+ function_check git_pull
+ git_pull $CJDNS_REPO
+ ./do
+ if [ ! "$?" = "0" ]; then
+ exit 9926
+ fi
+ fi
+
+ # set permissions
+ chown -R cjdns:cjdns /etc/cjdns
+ chmod 600 /etc/cjdns/cjdroute.conf
+
+ /sbin/ip tuntap add mode tun user cjdns dev cjdroute0
+
+ # insert values into the configuration file
+ if [ $CJDNS_PRIVATE_KEY ]; then
+ sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf
+ else
+ CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p)
+ fi
+ if [ $CJDNS_PUBLIC_KEY ]; then
+ sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf
+ else
+ CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p)
+ fi
+ if [ $CJDNS_IPV6 ]; then
+ sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf
+ else
+ CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p)
+ fi
+ if [ $CJDNS_PASSWORD ]; then
+ sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf
+ else
+ CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p)
+ fi
+ if [ $CJDNS_PORT ]; then
+ sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf
+ else
+ CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p)
+ fi
+
+ function_check enable_ipv6
+ enable_ipv6
+
+ echo '#!/bin/sh -e' > /etc/init.d/cjdns
+ echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns
+ echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns
+ echo '# Provides: cjdroute' >> /etc/init.d/cjdns
+ echo '# Required-Start: $remote_fs $network' >> /etc/init.d/cjdns
+ echo '# Required-Stop: $remote_fs $network' >> /etc/init.d/cjdns
+ echo '# Default-Start: 2 3 4 5' >> /etc/init.d/cjdns
+ echo '# Default-Stop: 0 1 6' >> /etc/init.d/cjdns
+ echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns
+ echo '# Description: A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns
+ echo '# cjdns git repo: https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns
+ echo '### END INIT INFO' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo 'PROG="cjdroute"' >> /etc/init.d/cjdns
+ echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
+ echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
+ echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns
+ echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns
+ echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo 'start() {' >> /etc/init.d/cjdns
+ echo ' # Start it up with the user cjdns' >> /etc/init.d/cjdns
+ echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
+ echo ' then' >> /etc/init.d/cjdns
+ echo ' echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns
+ echo ' else' >> /etc/init.d/cjdns
+ echo ' echo " * Starting cjdroute"' >> /etc/init.d/cjdns
+ echo ' su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns
+ echo ' /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns
+ echo ' /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns
+ echo ' /sbin/ip link set tun0 up' >> /etc/init.d/cjdns
+ echo ' /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns
+ echo ' fi' >> /etc/init.d/cjdns
+ echo '}' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo 'stop() {' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo ' if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns
+ echo ' then' >> /etc/init.d/cjdns
+ echo ' echo "cjdns isnt running."' >> /etc/init.d/cjdns
+ echo ' else' >> /etc/init.d/cjdns
+ echo ' echo "Killing cjdroute"' >> /etc/init.d/cjdns
+ echo ' killall cjdroute' >> /etc/init.d/cjdns
+ echo ' fi' >> /etc/init.d/cjdns
+ echo '}' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo 'status() {' >> /etc/init.d/cjdns
+ echo ' if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
+ echo ' then' >> /etc/init.d/cjdns
+ echo ' echo "Cjdns is running"' >> /etc/init.d/cjdns
+ echo ' else' >> /etc/init.d/cjdns
+ echo ' echo "Cjdns is not running"' >> /etc/init.d/cjdns
+ echo ' fi' >> /etc/init.d/cjdns
+ echo '}' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo ' update() {' >> /etc/init.d/cjdns
+ echo ' cd $GIT_PATH' >> /etc/init.d/cjdns
+ echo ' echo "Updating..."' >> /etc/init.d/cjdns
+ echo ' git pull' >> /etc/init.d/cjdns
+ echo ' ./do' >> /etc/init.d/cjdns
+ echo '}' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns
+ echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns
+ echo ' echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns
+ echo ' exit 1' >> /etc/init.d/cjdns
+ echo 'fi' >> /etc/init.d/cjdns
+ echo '' >> /etc/init.d/cjdns
+ echo 'case $1 in' >> /etc/init.d/cjdns
+ echo ' start)' >> /etc/init.d/cjdns
+ echo ' start' >> /etc/init.d/cjdns
+ echo ' exit 0' >> /etc/init.d/cjdns
+ echo ' ;;' >> /etc/init.d/cjdns
+ echo ' stop)' >> /etc/init.d/cjdns
+ echo ' stop' >> /etc/init.d/cjdns
+ echo ' exit 0' >> /etc/init.d/cjdns
+ echo ' ;;' >> /etc/init.d/cjdns
+ echo ' reload|restart|force-reload)' >> /etc/init.d/cjdns
+ echo ' stop' >> /etc/init.d/cjdns
+ echo ' sleep 1' >> /etc/init.d/cjdns
+ echo ' start' >> /etc/init.d/cjdns
+ echo ' exit 0' >> /etc/init.d/cjdns
+ echo ' ;;' >> /etc/init.d/cjdns
+ echo ' status)' >> /etc/init.d/cjdns
+ echo ' status' >> /etc/init.d/cjdns
+ echo ' exit 0' >> /etc/init.d/cjdns
+ echo ' ;;' >> /etc/init.d/cjdns
+ echo ' update|upgrade)' >> /etc/init.d/cjdns
+ echo ' update' >> /etc/init.d/cjdns
+ echo ' stop' >> /etc/init.d/cjdns
+ echo ' sleep 2' >> /etc/init.d/cjdns
+ echo ' start' >> /etc/init.d/cjdns
+ echo ' exit 0' >> /etc/init.d/cjdns
+ echo ' ;;' >> /etc/init.d/cjdns
+ echo ' **)' >> /etc/init.d/cjdns
+ echo ' echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns
+ echo ' exit 1' >> /etc/init.d/cjdns
+ echo ' ;;' >> /etc/init.d/cjdns
+ echo 'esac' >> /etc/init.d/cjdns
+ chmod +x /etc/init.d/cjdns
+ update-rc.d cjdns defaults
+ service cjdns start
+ if [ ! "$?" = "0" ]; then
+ systemctl status cjdns.service
+ exit 8260
+ fi
+
+ apt-get -y install radvd
+ echo 'interface eth0' > /etc/radvd.conf
+ echo '{' >> /etc/radvd.conf
+ echo ' AdvSendAdvert on;' >> /etc/radvd.conf
+ echo ' prefix fdfc::1/64' >> /etc/radvd.conf
+ echo ' {' >> /etc/radvd.conf
+ echo ' AdvRouterAddr on;' >> /etc/radvd.conf
+ echo ' };' >> /etc/radvd.conf
+ echo '};' >> /etc/radvd.conf
+ systemctl restart radvd
+ if [ ! "$?" = "0" ]; then
+ systemctl status radvd.service
+ exit 4395
+ fi
+
+ if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then
+ echo '' >> /etc/network/interfaces
+ echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces
+ echo 'iface eth0 inet6 static' >> /etc/network/interfaces
+ echo ' pre-up modprobe ipv6' >> /etc/network/interfaces
+ echo ' address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces
+ echo ' netmask 64' >> /etc/network/interfaces
+ service network-manager restart
+ if [ ! "$?" = "0" ]; then
+ systemctl status networking.service
+ exit 6949
+ fi
+ fi
+
+ ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
+ ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
+
+ function_ckeck save_firewall_settings
+ save_firewall_settings
+
+ if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
+ CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}')
+
+ echo '' >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README
+ echo '=======================' >> /home/$MY_USERNAME/README
+ echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README
+ echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README
+ echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README
+ echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README
+ echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README
+ echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README
+ echo $'to you using your default password' >> /home/$MY_USERNAME/README
+ echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README
+ echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README
+ echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README
+ echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README
+ echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README
+ echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README
+ echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README
+ echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README
+ echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README
+ echo $'each password is for.' >> /home/$MY_USERNAME/README
+ echo '' >> /home/$MY_USERNAME/README
+ echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README
+ echo ' http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README
+ echo ' http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README
+ chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+ chmod 600 /home/$MY_USERNAME/README
+ fi
+
+ function_check configure_firewall_for_cjdns
+ configure_firewall_for_cjdns
+
+ echo 'mesh_cjdns' >> $COMPLETION_FILE
}
function mesh_cjdns_tools {
- if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then
- return
- fi
- if [[ $ENABLE_CJDNS != "yes" ]]; then
- return
- fi
- if [ ! -d /etc/cjdns ]; then
- mesh_cjdns
- fi
-
- function_check select_go_version
- select_go_version
-
- apt-get -y install golang mercurial
- if [ ! -f ~/.bashrc ]; then
- touch ~/.bashrc
- fi
-
- if [ ! -d /home/git ]; then
- # add a gogs user account
- adduser --disabled-login --gecos 'Gogs' git
-
- # install Go
- if ! grep -q "export GOPATH=" ~/.bashrc; then
- echo "export GOPATH=$GOPATH" >> ~/.bashrc
- fi
- systemctl set-environment GOPATH=$GOPATH
- if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
- echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
- fi
- if [ ! -d $GOPATH ]; then
- mkdir -p $GOPATH
- fi
- fi
-
- if ! grep -q "export GOPATH=" ~/.bashrc; then
- echo "export GOPATH=$GOPATH" >> ~/.bashrc
- fi
- expected_go_path='export PATH=$PATH:'${GOPATH}'/bin'
- export PATH=$PATH:${GOPATH}/bin
- if ! grep -q "$expected_go_path" ~/.bashrc; then
- echo "$expected_go_path" >> ~/.bashrc
- fi
- export PATH=$PATH:$GOPATH/bin
- CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g')
- go get $CJDCMD_REPO2
- if [ ! -f $GOPATH/bin/cjdcmd ]; then
- echo $'cjdcmd was not compiled. Check your golang installation'
- exit 7439
- fi
- cp $GOPATH/bin/cjdcmd /usr/bin
-
- # initialise from the cjdns config
- /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf
-
- echo 'mesh_cjdns_tools' >> $COMPLETION_FILE
+ if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ENABLE_CJDNS != "yes" ]]; then
+ return
+ fi
+ if [ ! -d /etc/cjdns ]; then
+ mesh_cjdns
+ fi
+
+ function_check select_go_version
+ select_go_version
+
+ apt-get -y install golang mercurial
+ if [ ! -f ~/.bashrc ]; then
+ touch ~/.bashrc
+ fi
+
+ if [ ! -d /home/git ]; then
+ # add a gogs user account
+ adduser --disabled-login --gecos 'Gogs' git
+
+ # install Go
+ if ! grep -q "export GOPATH=" ~/.bashrc; then
+ echo "export GOPATH=$GOPATH" >> ~/.bashrc
+ fi
+ systemctl set-environment GOPATH=$GOPATH
+ if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
+ echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
+ fi
+ if [ ! -d $GOPATH ]; then
+ mkdir -p $GOPATH
+ fi
+ fi
+
+ if ! grep -q "export GOPATH=" ~/.bashrc; then
+ echo "export GOPATH=$GOPATH" >> ~/.bashrc
+ fi
+ expected_go_path='export PATH=$PATH:'${GOPATH}'/bin'
+ export PATH=$PATH:${GOPATH}/bin
+ if ! grep -q "$expected_go_path" ~/.bashrc; then
+ echo "$expected_go_path" >> ~/.bashrc
+ fi
+ export PATH=$PATH:$GOPATH/bin
+ CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g')
+ go get $CJDCMD_REPO2
+ if [ ! -f $GOPATH/bin/cjdcmd ]; then
+ echo $'cjdcmd was not compiled. Check your golang installation'
+ exit 7439
+ fi
+ cp $GOPATH/bin/cjdcmd /usr/bin
+
+ # initialise from the cjdns config
+ /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf
+
+ echo 'mesh_cjdns_tools' >> $COMPLETION_FILE
}
# NOTE: deliberately no exit 0
diff --git a/src/freedombone-app-dlna b/src/freedombone-app-dlna
index d0d2a875c..52e93b4d6 100755
--- a/src/freedombone-app-dlna
+++ b/src/freedombone-app-dlna
@@ -28,6 +28,27 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+function configure_firewall_for_dlna {
+ if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+ # docker does its own firewalling
+ return
+ fi
+ if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
+ return
+ fi
+ iptables -A INPUT -p udp --dport 1900 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=('DLNA 1900')
+ OPEN_PORTS+=('DLNA 8200')
+ echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
+}
+
function install_dlna_server {
if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then
return
diff --git a/src/freedombone-app-email b/src/freedombone-app-email
index ff1a2cc4a..46ed1fb8e 100755
--- a/src/freedombone-app-email
+++ b/src/freedombone-app-email
@@ -78,6 +78,34 @@ GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738'
# refresh gpg keys every few hours
REFRESH_GPG_KEYS_HOURS=2
+function configure_firewall_for_email {
+ if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+ # docker does its own firewalling
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p tcp --dport 25 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 587 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 465 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 993 -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=('Email 25')
+ OPEN_PORTS+=('Email 587')
+ OPEN_PORTS+=('Email 465')
+ OPEN_PORTS+=('Email 993')
+ echo 'configure_firewall_for_email' >> $COMPLETION_FILE
+}
+
function encrypt_incoming_email {
# encrypts incoming mail using your GPG public key
# so even if an attacker gains access to the data at rest they still need
diff --git a/src/freedombone-app-ipfs b/src/freedombone-app-ipfs
index b564cf28b..3037e6a0c 100755
--- a/src/freedombone-app-ipfs
+++ b/src/freedombone-app-ipfs
@@ -32,6 +32,24 @@ IPFS_GO_REPO="https://github.com/ipfs/go-ipfs"
IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166'
IPFS_PORT=4001
+function configure_firewall_for_ipfs {
+ if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("IPFS $IPFS_PORT")
+ echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE
+}
+
function install_ipfs {
if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
return
@@ -163,5 +181,8 @@ function install_ipfs {
rm /tmp/ipfsid
fi
+ function_check configure_firewall_for_ipfs
+ configure_firewall_for_ipfs
+
echo 'install_ipfs' >> $COMPLETION_FILE
}
diff --git a/src/freedombone-app-irc b/src/freedombone-app-irc
index 8aff263e4..6d9e5082e 100755
--- a/src/freedombone-app-irc
+++ b/src/freedombone-app-irc
@@ -34,6 +34,29 @@ IRC_ONION_PORT=6697
# An optional password to log into IRC. This applies to all users
IRC_PASSWORD=
+function configure_firewall_for_irc {
+ if [ ! -d /etc/ngircd ]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+ # docker does its own firewalling
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT
+ iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("IRC $IRC_PORT")
+ echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
+}
+
function install_irc_server {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
diff --git a/src/freedombone-app-mumble b/src/freedombone-app-mumble
index 0428cb633..038ae22e4 100755
--- a/src/freedombone-app-mumble
+++ b/src/freedombone-app-mumble
@@ -53,6 +53,25 @@ function get_voip_server_password {
fi
}
+function configure_firewall_for_voip {
+ if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
+ iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("Mumble $VOIP_PORT")
+ echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
+}
+
function install_mumble {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
return
diff --git a/src/freedombone-app-sip b/src/freedombone-app-sip
index 312b74361..10f7b305f 100755
--- a/src/freedombone-app-sip
+++ b/src/freedombone-app-sip
@@ -35,6 +35,50 @@ VOIP_TURN_PORT=3478
VOIP_TURN_TLS_PORT=5349
VOIP_TURN_NONCE=
+function configure_firewall_for_voip_turn {
+ if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT
+ iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT
+ iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("TURN $VOIP_TURN_PORT")
+ OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT")
+ echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE
+}
+
+
+function configure_firewall_for_sip4 {
+ if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
+ iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
+ iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
+ iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("SIP $SIP_PORT")
+ OPEN_PORTS+=("SIP TLS $SIP_TLS_PORT")
+ echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE
+}
+
function get_sip_server_password {
if [ -f /home/$MY_USERNAME/README ]; then
if grep -q "SIP server password" /home/$MY_USERNAME/README; then
diff --git a/src/freedombone-app-syncthing b/src/freedombone-app-syncthing
index 2ac4dd159..2fb19b297 100755
--- a/src/freedombone-app-syncthing
+++ b/src/freedombone-app-syncthing
@@ -37,6 +37,19 @@ SYNCTHING_PORT=22000
SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared
SYNCTHING_USER_IDS_FILE='.syncthingids'
+function configure_firewall_for_syncthing {
+ if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then
+ return
+ fi
+ iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
+ iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("Syncthing $SYNCTHING_PORT")
+ echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
+}
+
function install_syncthing {
if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
return
diff --git a/src/freedombone-app-tox b/src/freedombone-app-tox
index e6bdff93f..d8c3f14e3 100755
--- a/src/freedombone-app-tox
+++ b/src/freedombone-app-tox
@@ -44,6 +44,25 @@ TOXIC_REPO="https://github.com/Tox/toxic"
TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2'
TOXIC_FILE=/usr/local/bin/toxic
+function configure_firewall_for_tox {
+ if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+ # docker does its own firewalling
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("Tox $TOX_PORT")
+ echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
+}
+
function tox_avahi {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp
index b9c3e0f8c..c289e0997 100755
--- a/src/freedombone-app-xmpp
+++ b/src/freedombone-app-xmpp
@@ -35,6 +35,32 @@ XMPP_PASSWORD=
XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"'
XMPP_ECC_CURVE='"secp384r1"'
+function configure_firewall_for_xmpp {
+ if [ ! -d /etc/prosody ]; then
+ return
+ fi
+ if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+ # docker does its own firewalling
+ return
+ fi
+ if [[ $ONION_ONLY != "no" ]]; then
+ return
+ fi
+ iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=('XMPP 5222-5223')
+ OPEN_PORTS+=('XMPP 5269')
+ OPEN_PORTS+=('XMPP 5280-5281')
+ echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
+}
+
function update_prosody_modules {
if [ ! -d $INSTALL_DIR/prosody-modules ]; then
return
diff --git a/src/freedombone-app-zeronet b/src/freedombone-app-zeronet
index 7d149ed38..a3dddd6c8 100755
--- a/src/freedombone-app-zeronet
+++ b/src/freedombone-app-zeronet
@@ -45,6 +45,26 @@ ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh"
ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID"
ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b'
+function configure_firewall_for_zeronet {
+ if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then
+ return
+ fi
+ if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+ return
+ fi
+ iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
+ iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
+ iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
+ iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
+ iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
+ function_check save_firewall_settings
+ save_firewall_settings
+
+ OPEN_PORTS+=("ZeroNet $ZERONET_PORT")
+ OPEN_PORTS+=("Tracker $TRACKER_PORT")
+ echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE
+}
+
function install_zeronet_blog {
if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
return
diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall
index 118de8754..d232989d8 100755
--- a/src/freedombone-utils-firewall
+++ b/src/freedombone-utils-firewall
@@ -103,100 +103,6 @@ function configure_firewall_ping {
echo 'configure_firewall_ping' >> $COMPLETION_FILE
}
-function configure_firewall_for_voip {
- if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
- iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("Mumble $VOIP_PORT")
- echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_syncthing {
- if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then
- return
- fi
- iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
- iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("Syncthing $SYNCTHING_PORT")
- echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_voip_turn {
- if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT
- iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT
- iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("TURN $VOIP_TURN_PORT")
- OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT")
- echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE
-}
-
-
-function configure_firewall_for_sip4 {
- if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
- iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
- iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
- iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("SIP $SIP_PORT")
- OPEN_PORTS+=("SIP TLS $SIP_TLS_PORT")
- echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_ipfs {
- if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("IPFS $IPFS_PORT")
- echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE
-}
-
function configure_firewall_for_avahi {
if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
return
@@ -212,89 +118,6 @@ function configure_firewall_for_avahi {
echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
}
-function configure_firewall_for_cjdns {
- if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then
- return
- fi
- if [[ $ENABLE_CJDNS != "yes" ]]; then
- return
- fi
- ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
- echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_batman {
- if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then
- return
- fi
- if [[ $ENABLE_BATMAN != "yes" ]]; then
- return
- fi
-
- function_check save_firewall_settings
- save_firewall_settings
- echo 'configure_firewall_for_batman' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_babel {
- if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then
- return
- fi
- if [[ $ENABLE_BABEL != "yes" ]]; then
- return
- fi
- iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("Babel $BABEL_PORT")
- echo 'configure_firewall_for_babel' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_zeronet {
- if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then
- return
- fi
- if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
- return
- fi
- iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
- iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
- iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
- iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
- iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("ZeroNet $ZERONET_PORT")
- OPEN_PORTS+=("Tracker $TRACKER_PORT")
- echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_dlna {
- if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then
- return
- fi
- if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
- # docker does its own firewalling
- return
- fi
- if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
- return
- fi
- iptables -A INPUT -p udp --dport 1900 -j ACCEPT
- iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=('DLNA 1900')
- OPEN_PORTS+=('DLNA 8200')
- echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
-}
-
function configure_firewall_for_dns {
if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
return
@@ -309,55 +132,6 @@ function configure_firewall_for_dns {
echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
}
-function configure_firewall_for_xmpp {
- if [ ! -d /etc/prosody ]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then
- return
- fi
- if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
- # docker does its own firewalling
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
- iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
- iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=('XMPP 5222-5223')
- OPEN_PORTS+=('XMPP 5269')
- OPEN_PORTS+=('XMPP 5280-5281')
- echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_irc {
- if [ ! -d /etc/ngircd ]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then
- return
- fi
- if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
- # docker does its own firewalling
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p tcp --dport $IRC_PORT -j ACCEPT
- iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("IRC $IRC_PORT")
- echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
-}
-
function configure_firewall_for_web_access {
if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
return
@@ -398,25 +172,6 @@ function configure_firewall_for_web_server {
echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
}
-function configure_firewall_for_tox {
- if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then
- return
- fi
- if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
- # docker does its own firewalling
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=("Tox $TOX_PORT")
- echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
-}
-
function configure_firewall_for_ssh {
if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
return
@@ -453,34 +208,6 @@ function configure_firewall_for_git {
echo 'configure_firewall_for_git' >> $COMPLETION_FILE
}
-function configure_firewall_for_email {
- if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
- return
- fi
- if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then
- return
- fi
- if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
- # docker does its own firewalling
- return
- fi
- if [[ $ONION_ONLY != "no" ]]; then
- return
- fi
- iptables -A INPUT -p tcp --dport 25 -j ACCEPT
- iptables -A INPUT -p tcp --dport 587 -j ACCEPT
- iptables -A INPUT -p tcp --dport 465 -j ACCEPT
- iptables -A INPUT -p tcp --dport 993 -j ACCEPT
- function_check save_firewall_settings
- save_firewall_settings
-
- OPEN_PORTS+=('Email 25')
- OPEN_PORTS+=('Email 587')
- OPEN_PORTS+=('Email 465')
- OPEN_PORTS+=('Email 993')
- echo 'configure_firewall_for_email' >> $COMPLETION_FILE
-}
-
function configure_internet_protocol {
if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
return
--
GitLab