Open ports in the firewall through a rpm

Hi @dev_team

I’m working on urbackup-server (quite soon we will have something to play with) and I need to open port in the firewall, but my issue is that I need 4 ports and with not necessary the same permissions

The Server binds to following default ports:

Port                           Usage                    Incoming/Outgoing

55413    FastCGI for web interface            Incoming
55414   HTTP web interface                     Incoming
55415   Internet clients                            Incoming
35623   UDP broadcasts for discovery      Outgoing

Of course the easy solution is to create several network services, even with the status disabled if it doesn’t concern the main service, but I need to create 3 services

service a TCPPorts 55414,55413 status enabled access none (restricted to the localhost since I have a reverse proxy)
service b TCPPort 55415 status disabled access public (Internet client)
service c UDPPort 35623 status disabled access private (used to discover client, restricted to the local network)

My concern is that it is a mess to see, mainly in the service dashboard tab, when you watch a service stopped and disabled, it will attract your attention.

the other solution could be to create manually fwservice and fwrules properties in the rpm, I have had a quick look however it is not my speciality and also I don’t want to break specific rules added by the sysadmin

So if you have ideas on the best way to do it, or tips, please shoot.

We had a similar issue in the past with an internal package.
To workaround the issue we created only one network service (eg. the public one on port 55415), and various fragments for /etc/shorewall/rules to open/close specific ports (eg. 55414,55413) which do not need to be modified by users.

What do you think? Do you need a couple of examples for the fragments inside shorewall?

Thanks in advance for the pointer to the shoreWall fragments

Here you are!

#
# 40nethvoice
#
{
    my $iax = $nethvoice{'AllowExternalIAX'} || 'disabled';
    my $webrtc = $nethvoice{'AllowExternalWebRTC'} || 'disabled';
    if ($iax eq 'enabled') {
        $OUT .= "# Enable IAX from red interfaces\n";
        $OUT .= "?COMMENT Enable IAX from red interfaces\n";
        $OUT .= "ACCEPT\tnet\t\$FW\tudp\t4569,5036\n";
    }
    if ($webrtc eq 'enabled') {
        $OUT .= "# Enable WebRTC from red interfaces\n";
        $OUT .= "?COMMENT Enable WebRTC from red interfaces\n";
        $OUT .= "ACCEPT\tnet\t\$FW\ttcp\t8089\n";
    }

    $OUT .= "?COMMENT\n";

Credits to @Stll0

Where I put it ?

Put it as a fragment of rules file, like: /etc/e-smith/templates/etc/shorewall/rules/40urbackup

blue -> comes from blue Nic
net -> comes from the red Nic
tcp -> tcp port
udp -> udp port
REDIRECT -> redirect
ACCEPT -> accept
REJECT -> reject

now I’m not sure
loc -> local network ???

well what about to write them in the developer manual ?

loc is green
loc is shorewall lan trusted zone, called green in nethserver.

It’s already there http://docs.nethserver.org/projects/nethserver-devel/en/latest/gateway.html#roles-and-zones

I did something, but before to read you message

however I can read how to set your firewall by command db, but nothing by a custom template, hence why I wrote this post?

Do I still have my sunglasses at home ?

Thank for the merge

Question, do these rules can be overwritten by other sysadmin’s custom rules ?

do the first rules are used by shorewall ?

the \t in the template file doesn’t appear, does it is a github bug or it will be the same in the final documentation @giacomo

No, custom rules are expanded later (fragment 60rules).

Yes, exactly how iptables works: earlier rules have priority.

I don’t know, I will check it later.

Should be fixed now.