Tidying of firewall

src/freedombone-app-dlna

@@ -87,13 +87,9 @@ function configure_firewall_for_dlna {
         # docker does its own firewalling
         return
     fi
-    iptables -A INPUT -p udp --dport 1900 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
 
-    OPEN_PORTS+=('DLNA     1900')
-    OPEN_PORTS+=('DLNA     8200')
+    firewall_add DLNA 1900 udp
+    firewall_add DLNA 8200 tcp
     mark_completed $FUNCNAME
 }
 
@@ -162,11 +158,9 @@ function remove_dlna {
     if [ -f /etc/minidlna.conf ]; then
         rm /etc/minidlna.conf
     fi
-    iptables -D INPUT -p udp --dport 1900 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 8200 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
     remove_completion_param install_dlna
+    firewall_remove 1900 udp
+    firewall_remove 8200 tcp
 }
 
 function install_dlna_main {

src/freedombone-app-ipfs

@@ -164,9 +164,7 @@ function remove_ipfs_go {
     systemctl daemon-reload
     rm /etc/systemd/system/ipfs.service
     rm -rf $GOPATH/src/github.com/ipfs
-    iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+    firewall_remove $IPFS_PORT tcp
     remove_completion_param install_ipfs
     remove_completion_param configure_firewall_for_ipfs
     sed -i '/ipfs/d' $COMPLETION_FILE
@@ -181,9 +179,7 @@ function remove_ipfs_js {
     npm uninstall ipfs --global
     npm uninstall ronin --global
 
-    iptables -D INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+    firewall_remove $IPFS_PORT tcp
     sed -i '/install_ipfs/d' $COMPLETION_FILE
     sed -i '/ipfs/d' $COMPLETION_FILE
     sed -i '/configure_firewall_for_ipfs/d' $COMPLETION_FILE
@@ -201,11 +197,8 @@ function configure_firewall_for_ipfs {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
 
-    OPEN_PORTS+=("IPFS     $IPFS_PORT")
+    firewall_add IPFS $IPFS_PORT tcp
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-irc

@@ -244,10 +244,12 @@ function remove_irc {
     if [ -d /etc/ngircd ]; then
         rm -rf /etc/ngircd
     fi
-    iptables -D INPUT -p tcp --dport ${IRC_PORT}  -j ACCEPT
+
     iptables -D INPUT -p tcp --dport 1024:65535 --sport ${IRC_PORT} -j ACCEPT
     function_check save_firewall_settings
     save_firewall_settings
+    firewall_remove ${IRC_PORT} tcp
+
     function_check remove_onion_service
     remove_onion_service irc ${IRC_ONION_PORT}
     remove_completion_param install_irc
@@ -269,12 +271,11 @@ function configure_firewall_for_irc {
     if [[ ${ONION_ONLY} != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport ${IRC_PORT}  -j ACCEPT
     iptables -I INPUT -p tcp --dport 1024:65535 --sport ${IRC_PORT} -j ACCEPT
     function_check save_firewall_settings
     save_firewall_settings
 
-    OPEN_PORTS+=("IRC      $IRC_PORT")
+    firewall_add IRC ${IRC_PORT} tcp
     echo 'configure_firewall_for_irc' >> ${COMPLETION_FILE}
 }
 

src/freedombone-app-librevault

@@ -109,11 +109,7 @@ function restore_remote_librevault {
 }
 
 function remove_librevault {
-    iptables -D INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
+    firewall_remove ${LIBREVAULT_PORT}
     systemctl stop librevault
     systemctl disable librevault
     rm /etc/systemd/system/librevault.service
@@ -125,11 +121,7 @@ function configure_firewall_for_librevault {
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
         return
     fi
-    iptables -A INPUT -p udp --dport $LIBREVAULT_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $LIBREVAULT_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-    OPEN_PORTS+=("Librevault $LIBREVAULT_PORT")
+    firewall_add Librevault ${LIBREVAULT_PORT}
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-mumble

@@ -158,10 +158,7 @@ function restore_remote_mumble {
 function remove_mumble {
     apt-get -y remove --purge mumble-server
     if [[ $ONION_ONLY == "no" ]]; then
-        iptables -D INPUT -p udp --dport $MUMBLE_PORT -j ACCEPT
-        iptables -D INPUT -p tcp --dport $MUMBLE_PORT -j ACCEPT
-        function_check save_firewall_settings
-        save_firewall_settings
+        firewall_remove ${MUMBLE_PORT}
     fi
     if [ -f /etc/mumble-server.ini ]; then
         rm /etc/mumble-server.ini
@@ -189,12 +186,7 @@ function configure_firewall_for_mumble {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p udp --dport $MUMBLE_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $MUMBLE_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=("Mumble   $MUMBLE_PORT")
+    firewall_add Mumble ${MUMBLE_PORT}
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-pihole

@@ -207,13 +207,7 @@ function configure_firewall_for_pihole {
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
         return
     fi
-    #iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-    iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-    iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=('DNS      53')
+    firewall_add DNS 53
     mark_completed $FUNCNAME
 }
 
@@ -324,6 +318,7 @@ function remove_pihole {
         rm /etc/cron.d/pihole
     fi
 
+    firewall_remove 53
     userdel -r pihole
 }
 

src/freedombone-app-sip

@@ -158,16 +158,10 @@ function restore_remote_sip {
 }
 
 function remove_sip {
-    iptables -D INPUT -p udp --dport $TURN_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $TURN_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $TURN_TLS_PORT -j ACCEPT
-
-    iptables -D INPUT -p udp --dport $SIP_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $SIP_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+    firewall_remove ${TURN_PORT}
+    firewall_remove ${TURN_TLS_PORT} tcp
+    firewall_remove ${SIP_PORT}
+    firewall_remove ${SIP_TLS_PORT}
 
     function_check remove_onion_service
     remove_onion_service sip ${SIP_PORT}
@@ -192,14 +186,8 @@ function configure_firewall_for_turn {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p udp --dport $TURN_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $TURN_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $TURN_TLS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=("TURN     $TURN_PORT")
-    OPEN_PORTS+=("TURN TLS $TURN_TLS_PORT")
+    firewall_add TURN ${TURN_PORT}
+    firewall_add "TURN TLS" ${TURN_TLS_PORT} tcp
     mark_completed $FUNCNAME
 }
 
@@ -211,15 +199,8 @@ function configure_firewall_for_sip4 {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=("SIP      $SIP_PORT")
-    OPEN_PORTS+=("SIP TLS  $SIP_TLS_PORT")
+    firewall_add SIP ${SIP_PORT}
+    firewall_add "SIP TLS" ${SIP_TLS_PORT}
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-syncthing

@@ -462,11 +462,7 @@ function restore_remote_syncthing {
 }
 
 function remove_syncthing {
-    iptables -D INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
+    firewall_remove ${SYNCTHING_PORT}
     systemctl stop syncthing
     systemctl disable syncthing
     apt-get -y remove --purge syncthing
@@ -482,12 +478,7 @@ function configure_firewall_for_syncthing {
         return
     fi
 
-    iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=("Syncthing $SYNCTHING_PORT")
+    firewall_add Syncthing ${SYNCTHING_PORT}
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-tahoelafs

@@ -186,10 +186,7 @@ function restore_remote_tahoelafs {
 }
 
 function remove_tahoelafs {
-    iptables -D INPUT -p udp --dport $TAHOELAFS_PORT -j ACCEPT
-    iptables -D INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+    firewall_remove ${TAHOELAFS_PORT}
 
     for d in /home/*/ ; do
         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
@@ -209,11 +206,7 @@ function configure_firewall_for_tahoelafs {
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
         return
     fi
-    iptables -A INPUT -p udp --dport $TAHOELAFS_PORT -j ACCEPT
-    iptables -A INPUT -p tcp --dport $TAHOELAFS_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-    OPEN_PORTS+=("Tahoe-LAFS $TAHOELAFS_PORT")
+    firewall_add Tahoe-LAFS ${TAHOELAFS_PORT}
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-tox

@@ -242,10 +242,7 @@ function restore_remote_tox {
 }
 
 function remove_tox_node {
-    iptables -D INPUT -p tcp --dport $TOX_PORT -j ACCEPT
-    iptables -D INPUT -p udp --dport $TOX_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+    firewall_remove ${TOX_PORT}
 
     function_check remove_onion_service
     remove_onion_service tox ${TOX_PORT}
@@ -307,12 +304,7 @@ function configure_firewall_for_tox {
         exit 32856
     fi
 
-    iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
-    iptables -A INPUT -p udp --dport $TOX_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=("Tox      $TOX_PORT")
+    firewall_add Tox ${TOX_PORT}
     mark_completed $FUNCNAME
 }
 

src/freedombone-app-xmpp

@@ -251,15 +251,11 @@ function configure_firewall_for_xmpp {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=('XMPP     5222-5223')
-    OPEN_PORTS+=('XMPP     5269')
-    OPEN_PORTS+=('XMPP     5280-5281')
+    firewall_add XMPP 5222 tcp
+    firewall_add XMPP 5223 tcp
+    firewall_add XMPP 5269 tcp
+    firewall_add XMPP 5280 tcp
+    firewall_add XMPP 5281 tcp
     mark_completed $FUNCNAME
 }
 
@@ -271,11 +267,11 @@ function remove_xmpp_client {
 
 function remove_xmpp {
     remove_xmpp_client
-    iptables -D INPUT -p tcp --dport 5222:5223 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 5269 -j ACCEPT
-    iptables -D INPUT -p tcp --dport 5280:5281 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+    firewall_remove 5222 tcp
+    firewall_remove 5223 tcp
+    firewall_remove 5269 tcp
+    firewall_remove 5280 tcp
+    firewall_remove 5281 tcp
 
     function_check remove_onion_service
     remove_onion_service xmpp 5222 5223 5269

src/freedombone-app-zeronet

@@ -126,13 +126,11 @@ function remove_zeronet {
     remove_zeronet_blog
     remove_zeronet_mail
     remove_zeronet_forum
-    iptables -D INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
-    iptables -D INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
-    iptables -D INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
-    iptables -D INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
-    iptables -D INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
+
+    firewall_remove ${ZERONET_PORT}
+    firewall_remove ${TRACKER_PORT}
+    firewall_remove 1900 udp
+
     ${PROJECT_NAME}-mesh-install -f zeronet --remove yes
     remove_completion_param install_zeronet
     remove_completion_param configure_firewall_for_zeronet
@@ -143,16 +141,9 @@ function configure_firewall_for_zeronet {
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
         return
     fi
-    iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
-    iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
-    iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
-    iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
-    iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=("ZeroNet  $ZERONET_PORT")
-    OPEN_PORTS+=("Tracker  $TRACKER_PORT")
+    firewall_add ZeroNet ${ZERONET_PORT}
+    firewall_add Tracker ${TRACKER_PORT}
+    firewall_add Tracker 1900 udp
     mark_completed $FUNCNAME
 }
 

src/freedombone-base-email

@@ -93,17 +93,11 @@ function configure_firewall_for_email {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 587 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 465 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 993 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
-    OPEN_PORTS+=('Email    25')
-    OPEN_PORTS+=('Email    587')
-    OPEN_PORTS+=('Email    465')
-    OPEN_PORTS+=('Email    993')
+
+    firewall_add Email 25 tcp
+    firewall_add Email 587 tcp
+    firewall_add Email 465 tcp
+    firewall_add Imap 993 tcp
     mark_completed $FUNCNAME
 }
 

src/freedombone-utils-final

@@ -28,8 +28,6 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-OPEN_PORTS=()
-
 function install_final {
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
         return
@@ -50,10 +48,6 @@ function install_final {
 
     Ensure that these ports are forwarded from your internet router
 "
-    for p in "${OPEN_PORTS[@]}"
-    do
-        echo "  $p"
-    done
     echo ''
 
     if [ -f "/home/$MY_USERNAME/README" ]; then

src/freedombone-utils-firewall

@@ -28,6 +28,8 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+FIREWALL_CONFIG=$HOME/firewall.cfg
+
 function save_firewall_settings {
     iptables-save > /etc/firewall.conf
     ip6tables-save > /etc/firewall6.conf
@@ -156,11 +158,8 @@ function configure_firewall_for_web_access {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport 32768:61000 --sport 80 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 32768:61000 --sport 443 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
-
+    firewall_remove 80 tcp
+    firewall_remove 443 tcp
     mark_completed $FUNCNAME
 }
 
@@ -175,13 +174,9 @@ function configure_firewall_for_web_server {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
 
-    OPEN_PORTS+=('HTTP     80')
-    OPEN_PORTS+=('HTTPS    443')
+    firewall_add HTTP 80 tcp
+    firewall_add HTTPS 443 tcp
     mark_completed $FUNCNAME
 }
 
@@ -193,12 +188,9 @@ function configure_firewall_for_ssh {
         # docker does its own firewalling
         return
     fi
-    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-    iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
 
-    OPEN_PORTS+=("SSH      $SSH_PORT")
+    firewall_add SSH 22 tcp
+    firewall_add SSH ${SSH_PORT} tcp
     mark_completed $FUNCNAME
 }
 
@@ -213,11 +205,8 @@ function configure_firewall_for_git {
     if [[ $ONION_ONLY != "no" ]]; then
         return
     fi
-    iptables -A INPUT -p tcp --dport 9418 -j ACCEPT
-    function_check save_firewall_settings
-    save_firewall_settings
 
-    OPEN_PORTS+=("Git      9418")
+    firewall_add Git 9418 tcp
     mark_completed $FUNCNAME
 }
 
@@ -314,3 +303,52 @@ function mesh_firewall {
     echo 'WantedBy=multi-user.target' >> $FIREWALL_FILENAME
     chroot "$rootdir" systemctl enable meshfirewall
 }
+
+function firewall_add {
+    firewall_name="$1"
+    firewall_port=$2
+    firewall_protocol="$3"
+
+    if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
+        echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
+        if [ ! ${firewall_protocol} ]; then
+            iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
+            iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+        else
+            if [[ "${firewall_protocol}" == *"udp"* ]]; then
+                iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
+            fi
+            if [[ "${firewall_protocol}" == *"tcp"* ]]; then
+                iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+            fi
+        fi
+        save_firewall_settings
+    fi
+}
+
+function firewall_remove {
+    firewall_port=$1
+    firewall_protocol="$2"
+
+    if [ ! -f $FIREWALL_CONFIG ]; then
+        return
+    fi
+
+    if grep -q "=${firewall_port}" $FIREWALL_CONFIG; then
+        if [ ! ${firewall_protocol} ]; then
+            iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
+            iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+        else
+            if [[ "${firewall_protocol}" == *"udp"* ]]; then
+                iptables -D INPUT -p udp --dport ${firewall_port} -j ACCEPT
+            fi
+            if [[ "${firewall_protocol}" == *"tcp"* ]]; then
+                iptables -D INPUT -p tcp --dport ${firewall_port} -j ACCEPT
+            fi
+        fi
+        sed -i "/=${firewall_port}/d" $FIREWALL_CONFIG
+        save_firewall_settings
+    fi
+}
+
+# NOTE: deliberately no exit 0