#!/bin/sh
#
# This file is part of Plinth.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

# Enable tracing to see the commands in
# /var/log/freedombox-first-run.log
set -x

# Setup interfaces into appropriate zones. XXX: This is ideally done
# by network configuration as network configuration tool/scripts have
# better idea of what the interfaces are. There should also be a UI in
# Plinth to classify each interface as external or internal.

# If more than one interfaces is available, assume eth0 is external
# and rest are internal interfaces.
INTERFACES=$(interface-detect | grep wired | grep -v lo | cut -f1 -d,)
NO_OF_INTERFACES=$(echo $INTERFACES | wc --words)
if [ $NO_OF_INTERFACES -gt '1' ]
then
    for INTERFACE in $INTERFACES
    do
        if [ $INTERFACE = 'eth0' ]
        then
            ZONE='external'
        else
            ZONE='internal'
        fi

        firewall-cmd --zone=$ZONE --permanent --add-interface=$INTERFACE
    done
fi

# If only one interface is available, assume it to be internal so that
# services are available on this only possible interface. This means
# that all services which are meant to available only internally will
# be available externally if the interface is publicly accessible.
# XXX: To avoid this, FreedomBox should configure at least two
# interfaces. If only one network hardware device is available, an
# alias such as 'eth0:1' could be created and can act as internal
# interface.
if [ $NO_OF_INTERFACES -eq '1' ]
then
    firewall-cmd --zone=internal --permanent --add-interface="$INTERFACES"
fi


# Setup firewall rules for all the services enabled by default.
# Ideally all non-essential services are enabled from Plinth which
# automatically takes care of enabling appropirate firewall ports. The
# following is then for essential services and services that are not
# yet configurable from Plinth.

# HTTP (JWChat, ownCloud)
firewall-cmd --zone=external --permanent --add-service=http
firewall-cmd --zone=internal --permanent --add-service=http

# HTTPS (Plinth, JWChat, ownCloud)
firewall-cmd --zone=external --permanent --add-service=https
firewall-cmd --zone=internal --permanent --add-service=https

# Tor
firewall-cmd --zone=internal --permanent --add-service=tor-socks

# NTP
firewall-cmd --zone=internal --permanent --add-service=ntp

# DNS
firewall-cmd --zone=internal --permanent --add-service=dns

# mDNS
firewall-cmd --zone=internal --permanent --add-service=mdns

# DHCP
firewall-cmd --zone=internal --permanent --add-service=dhcp

# Bootp Server and Client (not enabled)
#firewall-cmd --zone=internal --permanent --add-port=67/tcp
#firewall-cmd --zone=internal --permanent --add-port=67/udp
#firewall-cmd --zone=internal --permanent --add-port=68/tcp
#firewall-cmd --zone=internal --permanent --add-port=68/udp

# LDAP (not enabled)
#firewall-cmd --zone=internal --permanent --add-service=ldap
#firewall-cmd --zone=internal --permanent --add-service=ldaps

# OpenVPN (not enabled)
#firewall-cmd --zone=external --permanent --add-service=openvpn
#firewall-cmd --zone=internal --permanent --add-service=openvpn

# Privoxy
firewall-cmd --zone=internal --permanent --add-service=privoxy

# XMPP
firewall-cmd --zone=external --permanent --add-service=xmpp-server
firewall-cmd --zone=internal --permanent --add-service=xmpp-server
firewall-cmd --zone=external --permanent --add-service=xmpp-client
firewall-cmd --zone=internal --permanent --add-service=xmpp-client
firewall-cmd --zone=external --permanent --add-service=xmpp-bosh
firewall-cmd --zone=internal --permanent --add-service=xmpp-bosh
