storm/configure-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve handling of the firewall. added enable or disable to the menu based on the current state.

Browse Source
This commit is contained in:
Storm Dragon
2026-04-18 03:11:53 -04:00
parent d3a9c009da
commit e7d95c1a62
2 changed files with 60 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.includes/firewall.sh
+58 -5
View File
@@ -12,6 +12,34 @@ ufw_status_output() {
sudo "${sudoFlags[@]}" ufw status 2>&1 sudo "${sudoFlags[@]}" ufw status 2>&1
} }
firewall_reboot_required() {
[[ ! -d "/lib/modules/$(uname -r)" ]]
}
ensure_firewall_backend_ready() {
if firewall_reboot_required; then
msgbox "The running kernel does not match the installed modules. Reboot this server before managing the firewall."
return 1
fi
return 0
}
firewall_enabled() {
local statusText=""
if ! ufw_installed; then
return 1
fi
if ! ensure_firewall_backend_ready; then
return 1
fi
statusText="$(ufw_status_output)"
[[ "$statusText" =~ ^Status:[[:space:]]+active$ ]]
}
ensure_ufw() { ensure_ufw() {
if ufw_installed; then if ufw_installed; then
return 0 return 0
@@ -27,7 +55,7 @@ ensure_ufw() {
return 1 return 1
fi fi
msgbox "ufw installed." msgbox "ufw installed. The firewall is not active until you choose Enable firewall."
return 0 return 0
} }
@@ -118,6 +146,7 @@ allow_ssh_port() {
local sshPort="" local sshPort=""
ensure_ufw || return 1 ensure_ufw || return 1
ensure_firewall_backend_ready || return 1
sshPort="$(resolve_ssh_port)" || { sshPort="$(resolve_ssh_port)" || {
msgbox "Firewall change cancelled because the SSH port could not be confirmed." msgbox "Firewall change cancelled because the SSH port could not be confirmed."
return 1 return 1
@@ -128,8 +157,16 @@ allow_ssh_port() {
enable_firewall() { enable_firewall() {
ensure_ufw || return 1 ensure_ufw || return 1
ensure_firewall_backend_ready || return 1
allow_ssh_port || return 1 allow_ssh_port || return 1
# `sudoFlags` is initialized by the main launcher before sourcing this file.
# shellcheck disable=SC2154
if ! sudo "${sudoFlags[@]}" ufw --force enable; then
msgbox "Failed to enable ufw."
return 1
fi
# `sudoFlags` is initialized by the main launcher before sourcing this file. # `sudoFlags` is initialized by the main launcher before sourcing this file.
# shellcheck disable=SC2154 # shellcheck disable=SC2154
if sudo "${sudoFlags[@]}" systemctl enable --now ufw; then if sudo "${sudoFlags[@]}" systemctl enable --now ufw; then
@@ -137,12 +174,20 @@ enable_firewall() {
return 0 return 0
fi fi
msgbox "Failed to enable ufw." msgbox "ufw rules were enabled, but the ufw service failed to enable at boot."
return 1 return 1
} }
disable_firewall() { disable_firewall() {
ensure_ufw || return 1 ensure_ufw || return 1
ensure_firewall_backend_ready || return 1
# `sudoFlags` is initialized by the main launcher before sourcing this file.
# shellcheck disable=SC2154
if ! sudo "${sudoFlags[@]}" ufw --force disable; then
msgbox "Failed to disable ufw."
return 1
fi
# `sudoFlags` is initialized by the main launcher before sourcing this file. # `sudoFlags` is initialized by the main launcher before sourcing this file.
# shellcheck disable=SC2154 # shellcheck disable=SC2154
@@ -151,7 +196,7 @@ disable_firewall() {
return 0 return 0
fi fi
msgbox "Failed to disable ufw." msgbox "ufw rules were disabled, but the ufw service state could not be updated."
return 1 return 1
} }
@@ -160,6 +205,7 @@ open_custom_port() {
local protocolChoice="" local protocolChoice=""
ensure_ufw || return 1 ensure_ufw || return 1
ensure_firewall_backend_ready || return 1
portNumber="$(inputbox "Enter the port number to open.")" || return 1 portNumber="$(inputbox "Enter the port number to open.")" || return 1
if ! valid_port "$portNumber"; then if ! valid_port "$portNumber"; then
msgbox "Enter a valid port number from 1 to 65535." msgbox "Enter a valid port number from 1 to 65535."
@@ -226,6 +272,7 @@ close_port() {
local ruleValue="" local ruleValue=""
ensure_ufw || return 1 ensure_ufw || return 1
ensure_firewall_backend_ready || return 1
while IFS= read -r ruleValue; do while IFS= read -r ruleValue; do
[[ -n "$ruleValue" ]] && removableRules+=("$ruleValue") [[ -n "$ruleValue" ]] && removableRules+=("$ruleValue")
done < <(list_simple_allow_rules | sort -n -t / -k 1,1) done < <(list_simple_allow_rules | sort -n -t / -k 1,1)
@@ -253,6 +300,7 @@ view_firewall_status() {
local statusText="" local statusText=""
ensure_ufw || return 1 ensure_ufw || return 1
ensure_firewall_backend_ready || return 1
tempFile="$(mktemp)" tempFile="$(mktemp)"
# `sudoFlags` is initialized by the main launcher before sourcing this file. # `sudoFlags` is initialized by the main launcher before sourcing this file.
# shellcheck disable=SC2154 # shellcheck disable=SC2154
@@ -263,9 +311,14 @@ view_firewall_status() {
} }
while true; do while true; do
if firewall_enabled; then
firewallToggleLabel="Disable firewall"
else
firewallToggleLabel="Enable firewall"
fi
firewallChoice="$(menulist \ firewallChoice="$(menulist \
"Enable firewall" \ "$firewallToggleLabel" \
"Disable firewall" \
"Allow SSH" \ "Allow SSH" \
"Open port" \ "Open port" \
"Close port" \ "Close port" \
.includes/nginx.sh
+2 -6
View File
@@ -57,9 +57,9 @@ web_ports_open() {
fi fi
while IFS= read -r statusLine; do while IFS= read -r statusLine; do
if [[ "$statusLine" =~ ^[[:space:]]*80/tcp[[:space:]]+ALLOW[[:space:]]+Anywhere([[:space:]]*\(v6\))?[[:space:]]*$ ]]; then if [[ "$statusLine" =~ ^[[:space:]]*80/tcp([[:space:]]+\(v6\))?[[:space:]]+ALLOW([[:space:]]+IN)?[[:space:]]+Anywhere([[:space:]]+\(v6\))?[[:space:]]*$ ]]; then
hasHttp="Yes" hasHttp="Yes"
elif [[ "$statusLine" =~ ^[[:space:]]*443/tcp[[:space:]]+ALLOW[[:space:]]+Anywhere([[:space:]]*\(v6\))?[[:space:]]*$ ]]; then elif [[ "$statusLine" =~ ^[[:space:]]*443/tcp([[:space:]]+\(v6\))?[[:space:]]+ALLOW([[:space:]]+IN)?[[:space:]]+Anywhere([[:space:]]+\(v6\))?[[:space:]]*$ ]]; then
hasHttps="Yes" hasHttps="Yes"
fi fi
done < <( done < <(
@@ -125,10 +125,6 @@ prompt_clacks_header() {
local nameEntry="" local nameEntry=""
local clacksHeader="" local clacksHeader=""
if [[ "$(yesno "Would you like to add an optional X-Clacks-Overhead header for all nginx sites?")" != "Yes" ]]; then
return 1
fi
msgbox "X-Clacks-Overhead is an optional tribute header inspired by Terry Pratchett's Clacks. Websites use it to remember names with values such as GNU Terry Pratchett. For more information, please see: ${clacksInfoUrl}" msgbox "X-Clacks-Overhead is an optional tribute header inspired by Terry Pratchett's Clacks. Websites use it to remember names with values such as GNU Terry Pratchett. For more information, please see: ${clacksInfoUrl}"
rawNames="$(inputbox "Enter a comma-separated list of names for the X-Clacks-Overhead header, or leave blank to skip.")" || return 1 rawNames="$(inputbox "Enter a comma-separated list of names for the X-Clacks-Overhead header, or leave blank to skip.")" || return 1
if [[ -z "${rawNames//[[:space:]]/}" ]]; then if [[ -z "${rawNames//[[:space:]]/}" ]]; then