Authentication-Results: mail-b.sr.ht; dkim=pass header.d=secluded.site header.i=@secluded.site Received: from mx.nixnet.email (mx.nixnet.email [94.16.121.167]) by mail-b.sr.ht (Postfix) with ESMTPS id 0A51311EFC9 for <~whereswaldon/arbor-dev@lists.sr.ht>; Thu, 21 Jul 2022 03:10:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by mx.nixnet.email (Postfix) with ESMTPSA id 22E7520286F; Wed, 20 Jul 2022 23:10:36 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secluded.site; s=202002021149; t=1658373036; h=from:from:reply-to:subject:subject:to:to:cc:cc; bh=vpBiCRaadUexl55iUZ2jkzG/t3SdfYy0a8O67a1lRwg=; b=ILG4s/C29aKTF1GM2aZ918S7MYKWOA+RiSuImUn0UggZL2WJEeNM7vvmj5wNXvuwO6Picu VWFI+ro/u3TNdP/760Ag40W9lwF3ubb7L/6eoNdm7M/1j9FJkRPeL+2VcnForfjKOC/bek 4hHjIC2Dgyr5e/jhcdLA8AjTbzjz3PU= From: Amolith To: ~whereswaldon/arbor-dev@lists.sr.ht Cc: Amolith Subject: [PATCH 07/12] Disallow incoming, allow relay/client connections Date: Wed, 20 Jul 2022 23:09:56 -0400 Message-Id: <20220721031001.97027-8-amolith@secluded.site> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220721031001.97027-1-amolith@secluded.site> References: <20220721031001.97027-1-amolith@secluded.site> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Signed-off-by: Amolith --- setup.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/setup.go b/setup.go index e9f4cbc..ca0a3b4 100644 --- a/setup.go +++ b/setup.go @@ -130,6 +130,11 @@ func Firewall() error { return err } + err = sh.Run("ufw", "default", "deny", "incoming") + if err != nil { + return err + } + // Allow outgoing for ntp err = sh.Run("ufw", "allow", "out", "ntp") if err != nil { @@ -147,6 +152,18 @@ func Firewall() error { return err } + // Allow incoming Sprig/relay connections + err = sh.Run("ufw", "allow", "in", "7117") + if err != nil { + return err + } + + // Allow relay to talk with other relays + err = sh.Run("ufw", "allow", "out", "7117") + if err != nil { + return err + } + // Work around a silly Linux design choice: // If this isn't set, enabling the firewall hangs all network connections, // even if they shouldn't be blocked by the firewall. -- 2.37.1