Move firewall functions into app scripts

src/freedombone-app-babel

@@ -32,6 +32,21 @@
 ENABLE_BABEL="no"
 BABEL_PORT=6696
 
+function configure_firewall_for_babel {
+	if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_BABEL != "yes" ]]; then
+		return
+	fi
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Babel    $BABEL_PORT")
+	echo 'configure_firewall_for_babel' >> $COMPLETION_FILE
+}
+
 function mesh_babel {
 	if grep -Fxq "mesh_babel" $COMPLETION_FILE; then
 		return

src/freedombone-app-batman

@@ -32,6 +32,19 @@
 ENABLE_BATMAN="no"
 BATMAN_CELLID='any'
 
+function configure_firewall_for_batman {
+	if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ENABLE_BATMAN != "yes" ]]; then
+		return
+	fi
+
+	function_check save_firewall_settings
+	save_firewall_settings
+	echo 'configure_firewall_for_batman' >> $COMPLETION_FILE
+}
+
 function mesh_batman {
 	if grep -Fxq "mesh_batman" $COMPLETION_FILE; then
 		return

src/freedombone-app-cjdns

@@ -40,408 +40,425 @@ CJDNS_COMMIT='13189fde111d0500427a7a0ce06a970753527bca'
 CJDCMD_REPO="https://github.com/inhies/cjdcmd"
 CJDCMD_COMMIT='973cca6ed0eecf9041c3403a40193c0b1291b808'
 
+function configure_firewall_for_cjdns {
+    if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $ENABLE_CJDNS != "yes" ]]; then
+        return
+    fi
+    ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
+    ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+    function_check save_firewall_settings
+    save_firewall_settings
+    echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE
+}
+
 function get_cjdns_public_key {
-	if [ -f /home/$MY_USERNAME/README ]; then
-		if grep -q "cjdns public key" /home/$MY_USERNAME/README; then
-			if [ ! $CJDNS_PUBLIC_KEY ]; then
-				CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//')
-			fi
-		fi
-	fi
+    if [ -f /home/$MY_USERNAME/README ]; then
+        if grep -q "cjdns public key" /home/$MY_USERNAME/README; then
+            if [ ! $CJDNS_PUBLIC_KEY ]; then
+                CJDNS_PUBLIC_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns public key" | awk -F ':' '{print $2}' | sed 's/^ *//')
+            fi
+        fi
+    fi
 }
 
 function get_cjdns_private_key {
-	if [ -f /home/$MY_USERNAME/README ]; then
-		if grep -q "cjdns private key" /home/$MY_USERNAME/README; then
-			if [ ! $CJDNS_PRIVATE_KEY ]; then
-				CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//')
-			fi
-		fi
-	fi
+    if [ -f /home/$MY_USERNAME/README ]; then
+        if grep -q "cjdns private key" /home/$MY_USERNAME/README; then
+            if [ ! $CJDNS_PRIVATE_KEY ]; then
+                CJDNS_PRIVATE_KEY=$(cat /home/$MY_USERNAME/README | grep "cjdns private key" | awk -F ':' '{print $2}' | sed 's/^ *//')
+            fi
+        fi
+    fi
 }
 
 function get_cjdns_ipv6_address {
-	if [ -f /home/$MY_USERNAME/README ]; then
-		if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then
-			if [ ! $CJDNS_IPV6 ]; then
-				CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//')
-			fi
-		fi
-	fi
+    if [ -f /home/$MY_USERNAME/README ]; then
+        if grep -q "cjdns IPv6 address" /home/$MY_USERNAME/README; then
+            if [ ! $CJDNS_IPV6 ]; then
+                CJDNS_IPV6=$(cat /home/$MY_USERNAME/README | grep "cjdns IPv6 address" | awk -F ':' '{print $2}' | sed 's/^ *//')
+            fi
+        fi
+    fi
 }
 
 function get_cjdns_port {
-	if [ -f /home/$MY_USERNAME/README ]; then
-		if grep -q "cjdns port" /home/$MY_USERNAME/README; then
-			if [ ! $CJDNS_PORT ]; then
-				CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//')
-			fi
-		fi
-	fi
+    if [ -f /home/$MY_USERNAME/README ]; then
+        if grep -q "cjdns port" /home/$MY_USERNAME/README; then
+            if [ ! $CJDNS_PORT ]; then
+                CJDNS_PORT=$(cat /home/$MY_USERNAME/README | grep "cjdns port" | awk -F ':' '{print $2}' | sed 's/^ *//')
+            fi
+        fi
+    fi
 }
 
 function get_cjdns_password {
-	if [ -f /home/$MY_USERNAME/README ]; then
-		if grep -q "cjdns password" /home/$MY_USERNAME/README; then
-			if [ ! $CJDNS_PASSWORD ]; then
-				CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//')
-			fi
-		fi
-	fi
+    if [ -f /home/$MY_USERNAME/README ]; then
+        if grep -q "cjdns password" /home/$MY_USERNAME/README; then
+            if [ ! $CJDNS_PASSWORD ]; then
+                CJDNS_PASSWORD=$(cat /home/$MY_USERNAME/README | grep "cjdns password" | awk -F ':' '{print $2}' | sed 's/^ *//')
+            fi
+        fi
+    fi
 }
 
 function mesh_cjdns {
-	if [[ $ENABLE_CJDNS != "yes" ]]; then
-		return
-	fi
-
-	# update to the next commit
-	function_check set_repo_commit
-	set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO
-
-	if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then
-		return
-	fi
-
-	apt-get -y install nodejs git build-essential nmap
-
-	# if a README exists then obtain the cjdns parameters
-	function_check get_cjdns_ipv6_address
-	get_cjdns_ipv6_address
-
-	function_check get_cjdns_public_key
-	get_cjdns_public_key
-
-	function_check get_cjdns_private_key
-	get_cjdns_private_key
-
-	function_check get_cjdns_port
-	get_cjdns_port
-
-	function_check get_cjdns_password
-	get_cjdns_password
-
-	# special compile settings for running ./do on the Beaglebone Black
-	if [[ $INSTALLING_ON_BBB == "yes" ]]; then
-		CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized"
-		export LDFLAGS="$CFLAGS"
-	fi
-
-	if [ ! -d /etc/cjdns ]; then
-		function_check git_pull
-		git_clone $CJDNS_REPO /etc/cjdns
-		cd /etc/cjdns
-
-		git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT
-		if ! grep -q "cjdns commit" $COMPLETION_FILE; then
-			echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE
-		else
-			sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE
-		fi
-
-		./do
-		if [ ! "$?" = "0" ]; then
-			exit 7439
-		fi
-		# create a configuration
-		if [ ! -f /etc/cjdns/cjdroute.conf ]; then
-			./cjdroute --genconf > /etc/cjdns/cjdroute.conf
-			if [ ! "$?" = "0" ]; then
-				exit 5922
-			fi
-		fi
-		# create a user to run as
-		useradd cjdns
-	else
-		cd /etc/cjdns
-		function_check git_pull
-		git_pull $CJDNS_REPO
-		./do
-		if [ ! "$?" = "0" ]; then
-			exit 9926
-		fi
-	fi
-
-	# set permissions
-	chown -R cjdns:cjdns /etc/cjdns
-	chmod 600 /etc/cjdns/cjdroute.conf
-
-	/sbin/ip tuntap add mode tun user cjdns dev cjdroute0
-
-	# insert values into the configuration file
-	if [ $CJDNS_PRIVATE_KEY ]; then
-		sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf
-	else
-		CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p)
-	fi
-	if [ $CJDNS_PUBLIC_KEY ]; then
-		sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf
-	else
-		CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p)
-	fi
-	if [ $CJDNS_IPV6 ]; then
-		sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf
-	else
-		CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p)
-	fi
-	if [ $CJDNS_PASSWORD ]; then
-		sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf
-	else
-		CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p)
-	fi
-	if [ $CJDNS_PORT ]; then
-		sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf
-	else
-		CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p)
-	fi
-
-	function_check enable_ipv6
-	enable_ipv6
-
-	echo '#!/bin/sh -e' > /etc/init.d/cjdns
-	echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns
-	echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns
-	echo '# Provides:          cjdroute' >> /etc/init.d/cjdns
-	echo '# Required-Start:    $remote_fs $network' >> /etc/init.d/cjdns
-	echo '# Required-Stop:     $remote_fs $network' >> /etc/init.d/cjdns
-	echo '# Default-Start:     2 3 4 5' >> /etc/init.d/cjdns
-	echo '# Default-Stop:      0 1 6' >> /etc/init.d/cjdns
-	echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns
-	echo '# Description:       A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns
-	echo '# cjdns git repo:    https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns
-	echo '### END INIT INFO' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo 'PROG="cjdroute"' >> /etc/init.d/cjdns
-	echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
-	echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
-	echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns
-	echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns
-	echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo 'start() {' >> /etc/init.d/cjdns
-	echo '     # Start it up with the user cjdns' >> /etc/init.d/cjdns
-	echo '     if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
-	echo '     then' >> /etc/init.d/cjdns
-	echo '         echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns
-	echo '     else' >> /etc/init.d/cjdns
-	echo '         echo " * Starting cjdroute"' >> /etc/init.d/cjdns
-	echo '         su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns
-	echo '         /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns
-	echo '         /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns
-	echo '         /sbin/ip link set tun0 up' >> /etc/init.d/cjdns
-	echo '         /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns
-	echo '     fi' >> /etc/init.d/cjdns
-	echo '}' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo 'stop() {' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo '     if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns
-	echo '     then' >> /etc/init.d/cjdns
-	echo '         echo "cjdns isnt running."' >> /etc/init.d/cjdns
-	echo '     else' >> /etc/init.d/cjdns
-	echo '         echo "Killing cjdroute"' >> /etc/init.d/cjdns
-	echo '         killall cjdroute' >> /etc/init.d/cjdns
-	echo '     fi' >> /etc/init.d/cjdns
-	echo '}' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo 'status() {' >> /etc/init.d/cjdns
-	echo '     if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
-	echo '     then' >> /etc/init.d/cjdns
-	echo '         echo "Cjdns is running"' >> /etc/init.d/cjdns
-	echo '     else' >> /etc/init.d/cjdns
-	echo '         echo "Cjdns is not running"' >> /etc/init.d/cjdns
-	echo '     fi' >> /etc/init.d/cjdns
-	echo '}' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo ' update() {' >> /etc/init.d/cjdns
-	echo '     cd $GIT_PATH' >> /etc/init.d/cjdns
-	echo '     echo "Updating..."' >> /etc/init.d/cjdns
-	echo '     git pull' >> /etc/init.d/cjdns
-	echo '     ./do' >> /etc/init.d/cjdns
-	echo '}' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns
-	echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns
-	echo '    echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns
-	echo '    exit 1' >> /etc/init.d/cjdns
-	echo 'fi' >> /etc/init.d/cjdns
-	echo '' >> /etc/init.d/cjdns
-	echo 'case $1 in' >> /etc/init.d/cjdns
-	echo '     start)' >> /etc/init.d/cjdns
-	echo '         start' >> /etc/init.d/cjdns
-	echo '         exit 0' >> /etc/init.d/cjdns
-	echo '     ;;' >> /etc/init.d/cjdns
-	echo '     stop)' >> /etc/init.d/cjdns
-	echo '         stop' >> /etc/init.d/cjdns
-	echo '         exit 0' >> /etc/init.d/cjdns
-	echo '     ;;' >> /etc/init.d/cjdns
-	echo '     reload|restart|force-reload)' >> /etc/init.d/cjdns
-	echo '         stop' >> /etc/init.d/cjdns
-	echo '         sleep 1' >> /etc/init.d/cjdns
-	echo '         start' >> /etc/init.d/cjdns
-	echo '         exit 0' >> /etc/init.d/cjdns
-	echo '     ;;' >> /etc/init.d/cjdns
-	echo '     status)' >> /etc/init.d/cjdns
-	echo '         status' >> /etc/init.d/cjdns
-	echo '         exit 0' >> /etc/init.d/cjdns
-	echo '     ;;' >> /etc/init.d/cjdns
-	echo '     update|upgrade)' >> /etc/init.d/cjdns
-	echo '         update' >> /etc/init.d/cjdns
-	echo '         stop' >> /etc/init.d/cjdns
-	echo '         sleep 2' >> /etc/init.d/cjdns
-	echo '         start' >> /etc/init.d/cjdns
-	echo '         exit 0' >> /etc/init.d/cjdns
-	echo '     ;;' >> /etc/init.d/cjdns
-	echo '     **)' >> /etc/init.d/cjdns
-	echo '         echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns
-	echo '         exit 1' >> /etc/init.d/cjdns
-	echo '     ;;' >> /etc/init.d/cjdns
-	echo 'esac' >> /etc/init.d/cjdns
-	chmod +x /etc/init.d/cjdns
-	update-rc.d cjdns defaults
-	service cjdns start
-	if [ ! "$?" = "0" ]; then
-		systemctl status cjdns.service
-		exit 8260
-	fi
-
-	apt-get -y install radvd
-	echo 'interface eth0' > /etc/radvd.conf
-	echo '{' >> /etc/radvd.conf
-	echo '    AdvSendAdvert on;' >> /etc/radvd.conf
-	echo '    prefix fdfc::1/64' >> /etc/radvd.conf
-	echo '    {' >> /etc/radvd.conf
-	echo '        AdvRouterAddr on;' >> /etc/radvd.conf
-	echo '    };' >> /etc/radvd.conf
-	echo '};' >> /etc/radvd.conf
-	systemctl restart radvd
-	if [ ! "$?" = "0" ]; then
-		systemctl status radvd.service
-		exit 4395
-	fi
-
-	if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then
-		echo '' >> /etc/network/interfaces
-		echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces
-		echo 'iface eth0 inet6 static' >> /etc/network/interfaces
-		echo '    pre-up modprobe ipv6' >> /etc/network/interfaces
-		echo '    address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces
-		echo '    netmask 64' >> /etc/network/interfaces
-		service network-manager restart
-		if [ ! "$?" = "0" ]; then
-			systemctl status networking.service
-			exit 6949
-		fi
-	fi
-
-	ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
-	ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
-
-	function_ckeck save_firewall_settings
-	save_firewall_settings
-
-	if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
-		CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}')
-
-		echo '' >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README
-		echo '=======================' >> /home/$MY_USERNAME/README
-		echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README
-		echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README
-		echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README
-		echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README
-		echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README
-		echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README
-		echo $'to you using your default password' >> /home/$MY_USERNAME/README
-		echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README
-		echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README
-		echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README
-		echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README
-		echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README
-		echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README
-		echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README
-		echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README
-		echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README
-		echo $'each password is for.' >> /home/$MY_USERNAME/README
-		echo '' >> /home/$MY_USERNAME/README
-		echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README
-		echo '    http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README
-		echo '    http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README
-		chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
-		chmod 600 /home/$MY_USERNAME/README
-	fi
-
-	echo 'mesh_cjdns' >> $COMPLETION_FILE
+    if [[ $ENABLE_CJDNS != "yes" ]]; then
+        return
+    fi
+
+    # update to the next commit
+    function_check set_repo_commit
+    set_repo_commit /etc/cjdns "cjdns commit" "$CJDNS_COMMIT" $CJDNS_REPO
+
+    if grep -Fxq "mesh_cjdns" $COMPLETION_FILE; then
+        return
+    fi
+
+    apt-get -y install nodejs git build-essential nmap
+
+    # if a README exists then obtain the cjdns parameters
+    function_check get_cjdns_ipv6_address
+    get_cjdns_ipv6_address
+
+    function_check get_cjdns_public_key
+    get_cjdns_public_key
+
+    function_check get_cjdns_private_key
+    get_cjdns_private_key
+
+    function_check get_cjdns_port
+    get_cjdns_port
+
+    function_check get_cjdns_password
+    get_cjdns_password
+
+    # special compile settings for running ./do on the Beaglebone Black
+    if [[ $INSTALLING_ON_BBB == "yes" ]]; then
+        CFLAGS="-O2 -march=armv7-a -mtune=cortex-a8 -mfpu=neon -ftree-vectorize -ffast-math -mfloat-abi=hard -marm -Wno-error=maybe-uninitialized"
+        export LDFLAGS="$CFLAGS"
+    fi
+
+    if [ ! -d /etc/cjdns ]; then
+        function_check git_pull
+        git_clone $CJDNS_REPO /etc/cjdns
+        cd /etc/cjdns
+
+        git checkout $CJDNS_COMMIT -b $CJDNS_COMMIT
+        if ! grep -q "cjdns commit" $COMPLETION_FILE; then
+            echo "cjdns commit:$CJDNS_COMMIT" >> $COMPLETION_FILE
+        else
+            sed -i "s/cjdns commit.*/cjdns commit:$CJDNS_COMMIT/g" $COMPLETION_FILE
+        fi
+
+        ./do
+        if [ ! "$?" = "0" ]; then
+            exit 7439
+        fi
+        # create a configuration
+        if [ ! -f /etc/cjdns/cjdroute.conf ]; then
+            ./cjdroute --genconf > /etc/cjdns/cjdroute.conf
+            if [ ! "$?" = "0" ]; then
+                exit 5922
+            fi
+        fi
+        # create a user to run as
+        useradd cjdns
+    else
+        cd /etc/cjdns
+        function_check git_pull
+        git_pull $CJDNS_REPO
+        ./do
+        if [ ! "$?" = "0" ]; then
+            exit 9926
+        fi
+    fi
+
+    # set permissions
+    chown -R cjdns:cjdns /etc/cjdns
+    chmod 600 /etc/cjdns/cjdroute.conf
+
+    /sbin/ip tuntap add mode tun user cjdns dev cjdroute0
+
+    # insert values into the configuration file
+    if [ $CJDNS_PRIVATE_KEY ]; then
+        sed -i "s/\"privateKey\":.*/\"privateKey\": \"$CJDNS_PRIVATE_KEY\",/g" /etc/cjdns/cjdroute.conf
+    else
+        CJDNS_PRIVATE_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"privateKey"' | awk -F '"' '{print $4}' | sed -n 1p)
+    fi
+    if [ $CJDNS_PUBLIC_KEY ]; then
+        sed -i "s/\"publicKey\":.*/\"publicKey\": \"$CJDNS_PUBLIC_KEY\",/g" /etc/cjdns/cjdroute.conf
+    else
+        CJDNS_PUBLIC_KEY=$(cat /etc/cjdns/cjdroute.conf | grep '"publicKey"' | awk -F '"' '{print $4}' | sed -n 1p)
+    fi
+    if [ $CJDNS_IPV6 ]; then
+        sed -i "s/\"ipv6\":.*/\"ipv6\": \"$CJDNS_IPV6\",/g" /etc/cjdns/cjdroute.conf
+    else
+        CJDNS_IPV6=$(cat /etc/cjdns/cjdroute.conf | grep '"ipv6"' | awk -F '"' '{print $4}' | sed -n 1p)
+    fi
+    if [ $CJDNS_PASSWORD ]; then
+        sed -i "0,/{\"password\":.*/s//{\"password\": \"$CJDNS_PASSWORD\"}/g" /etc/cjdns/cjdroute.conf
+    else
+        CJDNS_PASSWORD=$(cat /etc/cjdns/cjdroute.conf | grep '"password"' | awk -F '"' '{print $4}' | sed -n 1p)
+    fi
+    if [ $CJDNS_PORT ]; then
+        sed -i "s/\"bind\": \"0.0.0.0:.*/\"bind\": \"0.0.0.0:$CJDNS_PORT\",/g" /etc/cjdns/cjdroute.conf
+    else
+        CJDNS_PORT=$(cat /etc/cjdns/cjdroute.conf | grep '"bind": "0.0.0.0:' | awk -F '"' '{print $4}' | awk -F ':' '{print $2}' | sed -n 1p)
+    fi
+
+    function_check enable_ipv6
+    enable_ipv6
+
+    echo '#!/bin/sh -e' > /etc/init.d/cjdns
+    echo '### BEGIN INIT INFO' >> /etc/init.d/cjdns
+    echo '# hyperboria.sh - An init script (/etc/init.d/) for cjdns' >> /etc/init.d/cjdns
+    echo '# Provides:          cjdroute' >> /etc/init.d/cjdns
+    echo '# Required-Start:    $remote_fs $network' >> /etc/init.d/cjdns
+    echo '# Required-Stop:     $remote_fs $network' >> /etc/init.d/cjdns
+    echo '# Default-Start:     2 3 4 5' >> /etc/init.d/cjdns
+    echo '# Default-Stop:      0 1 6' >> /etc/init.d/cjdns
+    echo '# Short-Description: Cjdns router' >> /etc/init.d/cjdns
+    echo '# Description:       A routing engine designed for security, scalability, speed and ease of use.' >> /etc/init.d/cjdns
+    echo '# cjdns git repo:    https://github.com/cjdelisle/cjdns/' >> /etc/init.d/cjdns
+    echo '### END INIT INFO' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo 'PROG="cjdroute"' >> /etc/init.d/cjdns
+    echo 'GIT_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
+    echo 'PROG_PATH="/etc/cjdns"' >> /etc/init.d/cjdns
+    echo 'CJDNS_CONFIG="cjdroute.conf"' >> /etc/init.d/cjdns
+    echo 'CJDNS_USER="cjdns"' >> /etc/init.d/cjdns
+    echo "CJDNS_IP='$CJDNS_IPV6'" >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo 'start() {' >> /etc/init.d/cjdns
+    echo '     # Start it up with the user cjdns' >> /etc/init.d/cjdns
+    echo '     if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
+    echo '     then' >> /etc/init.d/cjdns
+    echo '         echo "cjdroute is already running. Doing nothing..."' >> /etc/init.d/cjdns
+    echo '     else' >> /etc/init.d/cjdns
+    echo '         echo " * Starting cjdroute"' >> /etc/init.d/cjdns
+    echo '         su -c "$PROG_PATH/$PROG < $PROG_PATH/$CJDNS_CONFIG" - $CJDNS_USER' >> /etc/init.d/cjdns
+    echo '         /sbin/ip addr add $CJDNS_IP/8 dev tun0' >> /etc/init.d/cjdns
+    echo '         /sbin/ip link set mtu 1312 dev tun0' >> /etc/init.d/cjdns
+    echo '         /sbin/ip link set tun0 up' >> /etc/init.d/cjdns
+    echo '         /sbin/ip tuntap add mode tun user cjdns dev tun0' >> /etc/init.d/cjdns
+    echo '     fi' >> /etc/init.d/cjdns
+    echo '}' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo 'stop() {' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo '     if [ $(pgrep cjdroute | wc -l) != 2 ];' >> /etc/init.d/cjdns
+    echo '     then' >> /etc/init.d/cjdns
+    echo '         echo "cjdns isnt running."' >> /etc/init.d/cjdns
+    echo '     else' >> /etc/init.d/cjdns
+    echo '         echo "Killing cjdroute"' >> /etc/init.d/cjdns
+    echo '         killall cjdroute' >> /etc/init.d/cjdns
+    echo '     fi' >> /etc/init.d/cjdns
+    echo '}' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo 'status() {' >> /etc/init.d/cjdns
+    echo '     if [ $(pgrep cjdroute | wc -l) != 0 ];' >> /etc/init.d/cjdns
+    echo '     then' >> /etc/init.d/cjdns
+    echo '         echo "Cjdns is running"' >> /etc/init.d/cjdns
+    echo '     else' >> /etc/init.d/cjdns
+    echo '         echo "Cjdns is not running"' >> /etc/init.d/cjdns
+    echo '     fi' >> /etc/init.d/cjdns
+    echo '}' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo ' update() {' >> /etc/init.d/cjdns
+    echo '     cd $GIT_PATH' >> /etc/init.d/cjdns
+    echo '     echo "Updating..."' >> /etc/init.d/cjdns
+    echo '     git pull' >> /etc/init.d/cjdns
+    echo '     ./do' >> /etc/init.d/cjdns
+    echo '}' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo '## Check to see if we are running as root first.' >> /etc/init.d/cjdns
+    echo 'if [ "$(id -u)" != "0" ]; then' >> /etc/init.d/cjdns
+    echo '    echo "This script must be run as root" 1>&2' >> /etc/init.d/cjdns
+    echo '    exit 1' >> /etc/init.d/cjdns
+    echo 'fi' >> /etc/init.d/cjdns
+    echo '' >> /etc/init.d/cjdns
+    echo 'case $1 in' >> /etc/init.d/cjdns
+    echo '     start)' >> /etc/init.d/cjdns
+    echo '         start' >> /etc/init.d/cjdns
+    echo '         exit 0' >> /etc/init.d/cjdns
+    echo '     ;;' >> /etc/init.d/cjdns
+    echo '     stop)' >> /etc/init.d/cjdns
+    echo '         stop' >> /etc/init.d/cjdns
+    echo '         exit 0' >> /etc/init.d/cjdns
+    echo '     ;;' >> /etc/init.d/cjdns
+    echo '     reload|restart|force-reload)' >> /etc/init.d/cjdns
+    echo '         stop' >> /etc/init.d/cjdns
+    echo '         sleep 1' >> /etc/init.d/cjdns
+    echo '         start' >> /etc/init.d/cjdns
+    echo '         exit 0' >> /etc/init.d/cjdns
+    echo '     ;;' >> /etc/init.d/cjdns
+    echo '     status)' >> /etc/init.d/cjdns
+    echo '         status' >> /etc/init.d/cjdns
+    echo '         exit 0' >> /etc/init.d/cjdns
+    echo '     ;;' >> /etc/init.d/cjdns
+    echo '     update|upgrade)' >> /etc/init.d/cjdns
+    echo '         update' >> /etc/init.d/cjdns
+    echo '         stop' >> /etc/init.d/cjdns
+    echo '         sleep 2' >> /etc/init.d/cjdns
+    echo '         start' >> /etc/init.d/cjdns
+    echo '         exit 0' >> /etc/init.d/cjdns
+    echo '     ;;' >> /etc/init.d/cjdns
+    echo '     **)' >> /etc/init.d/cjdns
+    echo '         echo "Usage: $0 (start|stop|restart|status|update)" 1>&2' >> /etc/init.d/cjdns
+    echo '         exit 1' >> /etc/init.d/cjdns
+    echo '     ;;' >> /etc/init.d/cjdns
+    echo 'esac' >> /etc/init.d/cjdns
+    chmod +x /etc/init.d/cjdns
+    update-rc.d cjdns defaults
+    service cjdns start
+    if [ ! "$?" = "0" ]; then
+        systemctl status cjdns.service
+        exit 8260
+    fi
+
+    apt-get -y install radvd
+    echo 'interface eth0' > /etc/radvd.conf
+    echo '{' >> /etc/radvd.conf
+    echo '    AdvSendAdvert on;' >> /etc/radvd.conf
+    echo '    prefix fdfc::1/64' >> /etc/radvd.conf
+    echo '    {' >> /etc/radvd.conf
+    echo '        AdvRouterAddr on;' >> /etc/radvd.conf
+    echo '    };' >> /etc/radvd.conf
+    echo '};' >> /etc/radvd.conf
+    systemctl restart radvd
+    if [ ! "$?" = "0" ]; then
+        systemctl status radvd.service
+        exit 4395
+    fi
+
+    if ! grep -q "# Mesh Networking (cjdns)" /etc/network/interfaces; then
+        echo '' >> /etc/network/interfaces
+        echo '# Mesh Networking (cjdns)' >> /etc/network/interfaces
+        echo 'iface eth0 inet6 static' >> /etc/network/interfaces
+        echo '    pre-up modprobe ipv6' >> /etc/network/interfaces
+        echo '    address fdfc:0000:0000:0000:0000:0000:0000:0001' >> /etc/network/interfaces
+        echo '    netmask 64' >> /etc/network/interfaces
+        service network-manager restart
+        if [ ! "$?" = "0" ]; then
+            systemctl status networking.service
+            exit 6949
+        fi
+    fi
+
+    ip6tables -A INPUT -p udp --dport $CJDNS_PORT -j ACCEPT
+    ip6tables -A INPUT -p tcp --dport $CJDNS_PORT -j ACCEPT
+
+    function_ckeck save_firewall_settings
+    save_firewall_settings
+
+    if ! grep -q $"Mesh Networking (cjdns)" /home/$MY_USERNAME/README; then
+        CURRENT_IP_ADDRESS=$(ip addr show | grep "inet " | sed -n 2p | awk -F ' ' '{print $2}' | awk -F '/' '{print $1}')
+
+        echo '' >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo $'Mesh Networking (cjdns)' >> /home/$MY_USERNAME/README
+        echo '=======================' >> /home/$MY_USERNAME/README
+        echo $"cjdns IPv6 address: $CJDNS_IPV6" >> /home/$MY_USERNAME/README
+        echo $"cjdns public key: $CJDNS_PUBLIC_KEY" >> /home/$MY_USERNAME/README
+        echo $"cjdns private key: $CJDNS_PRIVATE_KEY" >> /home/$MY_USERNAME/README
+        echo $"cjdns password: $CJDNS_PASSWORD" >> /home/$MY_USERNAME/README
+        echo $"cjdns port: $CJDNS_PORT" >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo $"Forward port $CJDNS_PORT from your internet router to the ${PROJECT_NAME}" >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo $'Below is an example of your connection credentials' >> /home/$MY_USERNAME/README
+        echo $'that you can give to other people so they can connect' >> /home/$MY_USERNAME/README
+        echo $'to you using your default password' >> /home/$MY_USERNAME/README
+        echo $'Adding a unique password for each user is advisable' >> /home/$MY_USERNAME/README
+        echo $'so that leaks can be isolated.' >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo "\"$CURRENT_IP_ADDRESS:$CJDNS_PORT\":{\"password\":\"$CJDNS_PASSWORD\",\"publicKey\":\"$CJDNS_PUBLIC_KEY\"}" >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo $'More is not better. 3-5 cjdns peers is good. 30 peers is bad.' >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo $'NEVER USE A PUBLIC PEER. These degrade the network and make it centralized.' >> /home/$MY_USERNAME/README
+        echo $'Each node can handle many peers, but no node can handle the entire internet.' >> /home/$MY_USERNAME/README
+        echo $'As this network grows any public peer will simply become saturated and' >> /home/$MY_USERNAME/README
+        echo $'useless causing issues for the entire network.' >> /home/$MY_USERNAME/README
+        echo $'Please report anyone offering you a public peer as they are promoting shared' >> /home/$MY_USERNAME/README
+        echo $'passwords which could lead to people pretending to be you. A peering pass' >> /home/$MY_USERNAME/README
+        echo $'should not contain someone elses nickname or info but should contain yours' >> /home/$MY_USERNAME/README
+        echo $'to ensure it is not shared. It also helps when editing the conf to know who' >> /home/$MY_USERNAME/README
+        echo $'each password is for.' >> /home/$MY_USERNAME/README
+        echo '' >> /home/$MY_USERNAME/README
+        echo $'Possible cjdns destinations of interest:' >> /home/$MY_USERNAME/README
+        echo '    http://transitiontech.ca/faq' >> /home/$MY_USERNAME/README
+        echo '    http://cjdns.ca/hypeirc.txt' >> /home/$MY_USERNAME/README
+        chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/README
+        chmod 600 /home/$MY_USERNAME/README
+    fi
+
+    function_check configure_firewall_for_cjdns
+    configure_firewall_for_cjdns
+
+    echo 'mesh_cjdns' >> $COMPLETION_FILE
 }
 
 function mesh_cjdns_tools {
-	if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ENABLE_CJDNS != "yes" ]]; then
-		return
-	fi
-	if [ ! -d /etc/cjdns ]; then
-		mesh_cjdns
-	fi
-
-	function_check select_go_version
-	select_go_version
-
-	apt-get -y install golang mercurial
-	if [ ! -f ~/.bashrc ]; then
-		touch ~/.bashrc
-	fi
-
-	if [ ! -d /home/git ]; then
-		# add a gogs user account
-		adduser --disabled-login --gecos 'Gogs' git
-
-		# install Go
-		if ! grep -q "export GOPATH=" ~/.bashrc; then
-			echo "export GOPATH=$GOPATH" >> ~/.bashrc
-		fi
-		systemctl set-environment GOPATH=$GOPATH
-		if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
-			echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
-		fi
-		if [ ! -d $GOPATH ]; then
-			mkdir -p $GOPATH
-		fi
-	fi
-
-	if ! grep -q "export GOPATH=" ~/.bashrc; then
-		echo "export GOPATH=$GOPATH" >> ~/.bashrc
-	fi
-	expected_go_path='export PATH=$PATH:'${GOPATH}'/bin'
-	export PATH=$PATH:${GOPATH}/bin
-	if ! grep -q "$expected_go_path" ~/.bashrc; then
-		echo "$expected_go_path" >> ~/.bashrc
-	fi
-	export PATH=$PATH:$GOPATH/bin
-	CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g')
-	go get $CJDCMD_REPO2
-	if [ ! -f $GOPATH/bin/cjdcmd ]; then
-		echo $'cjdcmd was not compiled. Check your golang installation'
-		exit 7439
-	fi
-	cp $GOPATH/bin/cjdcmd /usr/bin
-
-	# initialise from the cjdns config
-	/usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf
-
-	echo 'mesh_cjdns_tools' >> $COMPLETION_FILE
+    if grep -Fxq "mesh_cjdns_tools" $COMPLETION_FILE; then
+        return
+    fi
+    if [[ $ENABLE_CJDNS != "yes" ]]; then
+        return
+    fi
+    if [ ! -d /etc/cjdns ]; then
+        mesh_cjdns
+    fi
+
+    function_check select_go_version
+    select_go_version
+
+    apt-get -y install golang mercurial
+    if [ ! -f ~/.bashrc ]; then
+        touch ~/.bashrc
+    fi
+
+    if [ ! -d /home/git ]; then
+        # add a gogs user account
+        adduser --disabled-login --gecos 'Gogs' git
+
+        # install Go
+        if ! grep -q "export GOPATH=" ~/.bashrc; then
+            echo "export GOPATH=$GOPATH" >> ~/.bashrc
+        fi
+        systemctl set-environment GOPATH=$GOPATH
+        if ! grep -q "systemctl set-environment GOPATH=" ~/.bashrc; then
+            echo "systemctl set-environment GOPATH=$GOPATH" >> ~/.bashrc
+        fi
+        if [ ! -d $GOPATH ]; then
+            mkdir -p $GOPATH
+        fi
+    fi
+
+    if ! grep -q "export GOPATH=" ~/.bashrc; then
+        echo "export GOPATH=$GOPATH" >> ~/.bashrc
+    fi
+    expected_go_path='export PATH=$PATH:'${GOPATH}'/bin'
+    export PATH=$PATH:${GOPATH}/bin
+    if ! grep -q "$expected_go_path" ~/.bashrc; then
+        echo "$expected_go_path" >> ~/.bashrc
+    fi
+    export PATH=$PATH:$GOPATH/bin
+    CJDCMD_REPO2=$(echo "$CJDCMD_REPO" | sed 's|https://||g')
+    go get $CJDCMD_REPO2
+    if [ ! -f $GOPATH/bin/cjdcmd ]; then
+        echo $'cjdcmd was not compiled. Check your golang installation'
+        exit 7439
+    fi
+    cp $GOPATH/bin/cjdcmd /usr/bin
+
+    # initialise from the cjdns config
+    /usr/bin/cjdcmd cjdnsadmin -file /etc/cjdns/cjdroute.conf
+
+    echo 'mesh_cjdns_tools' >> $COMPLETION_FILE
 }
 
 # NOTE: deliberately no exit 0

src/freedombone-app-dlna

@@ -28,6 +28,27 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+function configure_firewall_for_dlna {
+	if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport 1900 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('DLNA     1900')
+	OPEN_PORTS+=('DLNA     8200')
+	echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
+}
+
 function install_dlna_server {
 	if grep -Fxq "install_dlna_server" $COMPLETION_FILE; then
 		return

src/freedombone-app-email

@@ -78,6 +78,34 @@ GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738'
 # refresh gpg keys every few hours
 REFRESH_GPG_KEYS_HOURS=2
 
+function configure_firewall_for_email {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 25 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 587 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 465 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 993 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('Email    25')
+	OPEN_PORTS+=('Email    587')
+	OPEN_PORTS+=('Email    465')
+	OPEN_PORTS+=('Email    993')
+	echo 'configure_firewall_for_email' >> $COMPLETION_FILE
+}
+
 function encrypt_incoming_email {
 	# encrypts incoming mail using your GPG public key
 	# so even if an attacker gains access to the data at rest they still need

src/freedombone-app-ipfs

@@ -32,6 +32,24 @@ IPFS_GO_REPO="https://github.com/ipfs/go-ipfs"
 IPFS_COMMIT='20b06a4cbce8884f5b194da6e98cb11f2c77f166'
 IPFS_PORT=4001
 
+function configure_firewall_for_ipfs {
+	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("IPFS     $IPFS_PORT")
+	echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE
+}
+
 function install_ipfs {
 	if [[ $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" ]]; then
 		return
@@ -163,5 +181,8 @@ function install_ipfs {
 		rm /tmp/ipfsid
 	fi
 
+	function_check configure_firewall_for_ipfs
+	configure_firewall_for_ipfs
+
 	echo 'install_ipfs' >> $COMPLETION_FILE
 }

src/freedombone-app-irc

@@ -34,6 +34,29 @@ IRC_ONION_PORT=6697
 # An optional password to log into IRC. This applies to all users
 IRC_PASSWORD=
 
+function configure_firewall_for_irc {
+	if [ ! -d /etc/ngircd ]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport $IRC_PORT  -j ACCEPT
+	iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("IRC      $IRC_PORT")
+	echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
+}
+
 function install_irc_server {
 	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
 		return

src/freedombone-app-mumble

@@ -53,6 +53,25 @@ function get_voip_server_password {
 	fi
 }
 
+function configure_firewall_for_voip {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Mumble   $VOIP_PORT")
+	echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
+}
+
 function install_mumble {
 	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
 		return

src/freedombone-app-sip

@@ -35,6 +35,50 @@ VOIP_TURN_PORT=3478
 VOIP_TURN_TLS_PORT=5349
 VOIP_TURN_NONCE=
 
+function configure_firewall_for_voip_turn {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("TURN     $VOIP_TURN_PORT")
+	OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT")
+	echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE
+}
+
+
+function configure_firewall_for_sip4 {
+	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
+	iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("SIP      $SIP_PORT")
+	OPEN_PORTS+=("SIP TLS  $SIP_TLS_PORT")
+	echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE
+}
+
 function get_sip_server_password {
 	if [ -f /home/$MY_USERNAME/README ]; then
 		if grep -q "SIP server password" /home/$MY_USERNAME/README; then

src/freedombone-app-syncthing

@@ -37,6 +37,19 @@ SYNCTHING_PORT=22000
 SYNCTHING_SHARED_DATA=/var/lib/syncthing/SyncShared
 SYNCTHING_USER_IDS_FILE='.syncthingids'
 
+function configure_firewall_for_syncthing {
+	if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then
+		return
+	fi
+	iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
+	iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Syncthing $SYNCTHING_PORT")
+	echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
+}
+
 function install_syncthing {
 	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" ]]; then
 		return

src/freedombone-app-tox

@@ -44,6 +44,25 @@ TOXIC_REPO="https://github.com/Tox/toxic"
 TOXIC_COMMIT='cf16849b374e484a33a4dffa3dfb937b59d537f2'
 TOXIC_FILE=/usr/local/bin/toxic
 
+function configure_firewall_for_tox {
+	if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("Tox      $TOX_PORT")
+	echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
+}
+
 function tox_avahi {
 	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
 		return

src/freedombone-app-xmpp

@@ -35,6 +35,32 @@ XMPP_PASSWORD=
 XMPP_CIPHERS='"EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"'
 XMPP_ECC_CURVE='"secp384r1"'
 
+function configure_firewall_for_xmpp {
+	if [ ! -d /etc/prosody ]; then
+		return
+	fi
+	if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
+		# docker does its own firewalling
+		return
+	fi
+	if [[ $ONION_ONLY != "no" ]]; then
+		return
+	fi
+	iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
+	iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=('XMPP     5222-5223')
+	OPEN_PORTS+=('XMPP     5269')
+	OPEN_PORTS+=('XMPP     5280-5281')
+	echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
+}
+
 function update_prosody_modules {
 	if [ ! -d $INSTALL_DIR/prosody-modules ]; then
 		return

src/freedombone-app-zeronet

@@ -45,6 +45,26 @@ ZERONET_DEFAULT_MAIL_TAGLINE="Mail for the Mesh"
 ZERONET_ID_REPO="https://github.com/HelloZeroNet/ZeroID"
 ZERONET_ID_COMMIT='ccf14fdc96fa9cdb2ddd8a7ab283a8e17a4f234b'
 
+function configure_firewall_for_zeronet {
+	if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then
+		return
+	fi
+	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
+		return
+	fi
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
+	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
+	function_check save_firewall_settings
+	save_firewall_settings
+
+	OPEN_PORTS+=("ZeroNet  $ZERONET_PORT")
+	OPEN_PORTS+=("Tracker  $TRACKER_PORT")
+	echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE
+}
+
 function install_zeronet_blog {
 	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
 		return

src/freedombone-utils-firewall

@@ -103,100 +103,6 @@ function configure_firewall_ping {
 	echo 'configure_firewall_ping' >> $COMPLETION_FILE
 }
 
-function configure_firewall_for_voip {
-	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_voip" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p udp --dport $VOIP_PORT -j ACCEPT
-	iptables -A INPUT -p tcp --dport $VOIP_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("Mumble   $VOIP_PORT")
-	echo 'configure_firewall_for_voip' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_syncthing {
-	if grep -Fxq "configure_firewall_for_syncthing" $COMPLETION_FILE; then
-		return
-	fi
-	iptables -A INPUT -p udp --dport $SYNCTHING_PORT -j ACCEPT
-	iptables -A INPUT -p tcp --dport $SYNCTHING_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("Syncthing $SYNCTHING_PORT")
-	echo 'configure_firewall_for_syncthing' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_voip_turn {
-	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT
-	iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT
-	iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("TURN     $VOIP_TURN_PORT")
-	OPEN_PORTS+=("TURN TLS $VOIP_TURN_TLS_PORT")
-	echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE
-}
-
-
-function configure_firewall_for_sip4 {
-	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_sip4" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p udp --dport $SIP_PORT -j ACCEPT
-	iptables -A INPUT -p tcp --dport $SIP_PORT -j ACCEPT
-	iptables -A INPUT -p udp --dport $SIP_TLS_PORT -j ACCEPT
-	iptables -A INPUT -p tcp --dport $SIP_TLS_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("SIP      $SIP_PORT")
-	OPEN_PORTS+=("SIP TLS  $SIP_TLS_PORT")
-	echo 'configure_firewall_for_sip4' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_ipfs {
-	if [[ $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" ]]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_ipfs" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport $IPFS_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("IPFS     $IPFS_PORT")
-	echo 'configure_firewall_for_ipfs' >> $COMPLETION_FILE
-}
-
 function configure_firewall_for_avahi {
 	if grep -Fxq "configure_firewall_for_avahi" $COMPLETION_FILE; then
 		return
@@ -212,89 +118,6 @@ function configure_firewall_for_avahi {
 	echo 'configure_firewall_for_avahi' >> $COMPLETION_FILE
 }
 
-function configure_firewall_for_cjdns {
-	if grep -Fxq "configure_firewall_for_cjdns" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ENABLE_CJDNS != "yes" ]]; then
-		return
-	fi
-	ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
-	ip6tables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-	echo 'configure_firewall_for_cjdns' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_batman {
-	if grep -Fxq "configure_firewall_for_batman" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ENABLE_BATMAN != "yes" ]]; then
-		return
-	fi
-
-	function_check save_firewall_settings
-	save_firewall_settings
-	echo 'configure_firewall_for_batman' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_babel {
-	if grep -Fxq "configure_firewall_for_babel" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $ENABLE_BABEL != "yes" ]]; then
-		return
-	fi
-	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $BABEL_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("Babel    $BABEL_PORT")
-	echo 'configure_firewall_for_babel' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_zeronet {
-	if grep -Fxq "configure_firewall_for_zeronet" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $SYSTEM_TYPE != "$VARIANT_MESH" ]]; then
-		return
-	fi
-	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $ZERONET_PORT -j ACCEPT
-	iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $ZERONET_PORT -j ACCEPT
-	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport $TRACKER_PORT -j ACCEPT
-	iptables -A INPUT -i $WIFI_INTERFACE -p tcp --dport $TRACKER_PORT -j ACCEPT
-	iptables -A INPUT -i $WIFI_INTERFACE -p udp --dport 1900 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("ZeroNet  $ZERONET_PORT")
-	OPEN_PORTS+=("Tracker  $TRACKER_PORT")
-	echo 'configure_firewall_for_zeronet' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_dlna {
-	if grep -Fxq "configure_firewall_for_dlna" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" ]]; then
-		return
-	fi
-	iptables -A INPUT -p udp --dport 1900 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 8200 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=('DLNA     1900')
-	OPEN_PORTS+=('DLNA     8200')
-	echo 'configure_firewall_for_dlna' >> $COMPLETION_FILE
-}
-
 function configure_firewall_for_dns {
 	if grep -Fxq "configure_firewall_for_dns" $COMPLETION_FILE; then
 		return
@@ -309,55 +132,6 @@ function configure_firewall_for_dns {
 	echo 'configure_firewall_for_dns' >> $COMPLETION_FILE
 }
 
-function configure_firewall_for_xmpp {
-	if [ ! -d /etc/prosody ]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_xmpp" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 5222:5223 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 5280:5281 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=('XMPP     5222-5223')
-	OPEN_PORTS+=('XMPP     5269')
-	OPEN_PORTS+=('XMPP     5280-5281')
-	echo 'configure_firewall_for_xmpp' >> $COMPLETION_FILE
-}
-
-function configure_firewall_for_irc {
-	if [ ! -d /etc/ngircd ]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_irc" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport $IRC_PORT  -j ACCEPT
-	iptables -I INPUT -p tcp --dport 1024:65535 --sport $IRC_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("IRC      $IRC_PORT")
-	echo 'configure_firewall_for_irc' >> $COMPLETION_FILE
-}
-
 function configure_firewall_for_web_access {
 	if grep -Fxq "configure_firewall_for_web_access" $COMPLETION_FILE; then
 		return
@@ -398,25 +172,6 @@ function configure_firewall_for_web_server {
 	echo 'configure_firewall_for_web_server' >> $COMPLETION_FILE
 }
 
-function configure_firewall_for_tox {
-	if grep -Fxq "configure_firewall_for_tox" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport $TOX_PORT -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=("Tox      $TOX_PORT")
-	echo 'configure_firewall_for_tox' >> $COMPLETION_FILE
-}
-
 function configure_firewall_for_ssh {
 	if grep -Fxq "configure_firewall_for_ssh" $COMPLETION_FILE; then
 		return
@@ -453,34 +208,6 @@ function configure_firewall_for_git {
 	echo 'configure_firewall_for_git' >> $COMPLETION_FILE
 }
 
-function configure_firewall_for_email {
-	if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_CHAT" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" || $SYSTEM_TYPE == "$VARIANT_MESH" || $SYSTEM_TYPE == "$VARIANT_NONMAILBOX" ]]; then
-		return
-	fi
-	if grep -Fxq "configure_firewall_for_email" $COMPLETION_FILE; then
-		return
-	fi
-	if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
-		# docker does its own firewalling
-		return
-	fi
-	if [[ $ONION_ONLY != "no" ]]; then
-		return
-	fi
-	iptables -A INPUT -p tcp --dport 25 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 587 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 465 -j ACCEPT
-	iptables -A INPUT -p tcp --dport 993 -j ACCEPT
-	function_check save_firewall_settings
-	save_firewall_settings
-
-	OPEN_PORTS+=('Email    25')
-	OPEN_PORTS+=('Email    587')
-	OPEN_PORTS+=('Email    465')
-	OPEN_PORTS+=('Email    993')
-	echo 'configure_firewall_for_email' >> $COMPLETION_FILE
-}
-
 function configure_internet_protocol {
 	if grep -Fxq "configure_internet_protocol" $COMPLETION_FILE; then
 		return