Skip to content

Commit

Permalink
firewall.py complete revamp
Browse files Browse the repository at this point in the history
  • Loading branch information
@Salamandar
Salamandar committed Dec 20, 2024
1 parent 62f43b4 commit 291bca0
Show file tree
Hide file tree
Showing 9 changed files with 562 additions and 471 deletions.
57 changes: 45 additions & 12 deletions conf/yunohost/firewall.yml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,45 @@
uPnP:
enabled: false
TCP: [22, 25, 80, 443, 587, 993, 5222, 5269]
UDP: []
TCP_TO_CLOSE: []
UDP_TO_CLOSE: []
ipv4:
TCP: [22, 25, 53, 80, 443, 587, 993, 5222, 5269]
UDP: [53, 5353]
ipv6:
TCP: [22, 25, 53, 80, 443, 587, 993, 5222, 5269]
UDP: [53, 5353]
router_forwarding_upnp: false

tcp:
22:
open: true
upnp: true
comment: Default SSH port
25:
open: true
upnp: true
comment: SMTP email server (postfix)
80:
open: true
upnp: true
comment: HTTP server (nginx)
443:
open: true
upnp: true
comment: HTTPS server (nginx)
587:
open: true
upnp: true
comment: SMTP MSA email server (postfix)
993:
open: true
upnp: true
comment: IMAP email server (dovecot)

udp:
53:
open: true
upnp: false
comment: DNS server (dnsmasq)
1900:
open: true
upnp: false
comment: UPnP services
5353:
open: true
upnp: false
comment: mDNS (yunomdns)
55354:
open: true
upnp: false
comment: YunoHost UPnP firewall configurator
2 changes: 1 addition & 1 deletion conf/yunohost/services.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ yunohost-api:
category: admin
yunohost-firewall:
need_lock: true
test_status: iptables -S | grep "^-A INPUT" | grep " --dport" | grep -q ACCEPT
test_status: nft list chain ip filter input | grep "dport" | grep -q "accept"
category: security
yunomdns:
category: mdns
Expand Down
4 changes: 2 additions & 2 deletions debian/control
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Depends: python3-all (>= 3.11),
, python-is-python3, python3-pydantic, python3-email-validator
, nginx, nginx-extras (>=1.22)
, apt, apt-transport-https, apt-utils, aptitude, dirmngr
, openssh-server, iptables, fail2ban, bind9-dnsutils
, openssh-server, nftables, fail2ban, bind9-dnsutils
, openssl, ca-certificates, netcat-openbsd, iproute2
, slapd, ldap-utils, sudo-ldap, libnss-ldapd, unscd, libpam-ldapd
, dnsmasq, resolvconf, libnss-myhostname
Expand All @@ -44,7 +44,7 @@ Conflicts: iptables-persistent
, slapd (>= 2.6)
, dovecot-core (>= 1:2.4)
, fail2ban (>= 1.1)
, iptables (>= 1.8.10)
, nftables (>= 1.1)
Description: manageable and configured self-hosting server
YunoHost aims to make self-hosting accessible to everyone. It configures
an email, Web and IM server alongside a LDAP base. It also provides
Expand Down
89 changes: 78 additions & 11 deletions share/actionsmap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1396,13 +1396,83 @@ firewall:
full: --raw
help: Return the complete YAML dict
action: store_true
-i:
full: --by-ip-version
help: List rules by IP version
action: store_true
protocol:
help: "If not raw, protocol type to list (tcp/udp)"
choices:
- tcp
- udp
nargs: "?"
-f:
full: --list-forwarded
help: List forwarded ports with UPnP
full: --forwarded
help: If not raw, list UPnP forwarded ports instead of open ports
action: store_true

### firewall_open()
open:
action_help: Allow connections on a port
api: PUT /firewall/<protocol>/open/<port>
arguments:
port:
help: Port or range of ports to open
extra:
pattern: &pattern_port_or_range
- !!str ((^|(?!\A):)([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])){1,2}?$
- "pattern_port_or_range"
protocol:
help: "Protocol type (tcp/udp)"
choices:
- tcp
- udp
default: tcp
comment:
help: A reason for the port to be open (like the app's name)
default: ""
--upnp:
help: Add forwarding of this port with UPnP
action: store_true
--no-reload:
help: Do not reload firewall rules
action: store_true

### firewall_close()
close:
action_help: Disallow connections on a port
api: PUT /firewall/<protocol>/close/<port>
arguments:
port:
help: Port or range of ports to close
extra:
pattern: *pattern_port_or_range
protocol:
help: "Protocol type (tcp/udp)"
choices:
- tcp
- udp
default: tcp
--upnp-only:
help: Only remove forwarding of this port with UPnP
action: store_true
--no-reload:
help: Do not reload firewall rules
action: store_true

### firewall_delete()
delete:
action_help: Unregister a port from YunoHost
api: PUT /firewall/<protocol>/delete/<port>
arguments:
port:
help: Port or range of ports to delete
extra:
pattern: *pattern_port_or_range
protocol:
help: "Protocol type (tcp/udp)"
choices:
- tcp
- udp
default: tcp
--no-reload:
help: Do not reload firewall rules
action: store_true

### firewall_allow()
Expand All @@ -1420,9 +1490,7 @@ firewall:
port:
help: Port or range of ports to open
extra:
pattern: &pattern_port_or_range
- !!str ((^|(?!\A):)([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])){1,2}?$
- "pattern_port_or_range"
pattern: *pattern_port_or_range
-4:
full: --ipv4-only
help: Only add a rule for IPv4 connections
Expand Down Expand Up @@ -1479,7 +1547,6 @@ firewall:
- enable
- disable
- status
- reload
nargs: "?"
default: status
--no-refresh:
Expand All @@ -1497,7 +1564,7 @@ firewall:

### firewall_stop()
stop:
action_help: Stop iptables and ip6tables
action_help: Remove all the firewall rules



Expand Down
Loading

0 comments on commit 291bca0

Please sign in to comment.