mynode/rootfs/standard/usr/bin/mynode_firewall.sh

#!/bin/bash

set -e
set -x

# Make sure we are using legacy iptables
update-alternatives --set iptables /usr/sbin/iptables-legacy || true
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true

# Add default rules
ufw default deny incoming
ufw default allow outgoing

# Add firewall rules
ufw allow 22    comment 'allow SSH'
ufw allow 80    comment 'allow WWW'
ufw allow 443   comment 'allow Secure WWW'
ufw allow 1900  comment 'allow SSDP for UPnP discovery'
ufw allow 2189  comment 'allow UPnP'
ufw allow from 10.0.0.0/8 port 1900 to any      comment 'allow UPnP from router'
ufw allow from 192.168.0.0/16 port 1900 to any  comment 'allow UPnP from router'
ufw allow from 172.16.0.0/12 port 1900 to any   comment 'allow UPnP from router'
ufw allow 9911  comment 'allow Lightning Watchtower'
ufw allow 10009 comment 'allow Lightning gRPC'
ufw allow 10080 comment 'allow Lightning REST RPC'
ufw allow 9735  comment 'allow Lightning'
ufw allow 8332  comment 'allow Bitcoin RPC - filtered by rpcallowip'
ufw allow 8333  comment 'allow Bitcoin mainnet'
ufw allow 18333 comment 'allow Bitcoin testnet'
ufw allow from 172.17.0.0/16 to any port 28332 comment 'allow Dojo zmqrawblock'
ufw allow from 172.28.0.0/16 to any port 28332 comment 'allow Dojo zmqrawblock'
ufw allow from 172.17.0.0/16 to any port 28333 comment 'allow Dojo zmqrawtx'
ufw allow from 172.28.0.0/16 to any port 28333 comment 'allow Dojo zmqrawtx'
ufw allow from 172.17.0.0/16 to any port 28334 comment 'allow Dojo zmqhashblock'
ufw allow from 172.28.0.0/16 to any port 28334 comment 'allow Dojo zmqhashblock'
ufw allow 8335  comment 'allow corsproxy for btc rpc'
ufw allow 8443  comment 'allow Lightning Terminal'
ufw allow 2222  comment 'allow WebSSH2'
ufw allow 2223  comment 'allow WebSSH2 HTTPS'
ufw allow 3000  comment 'allow LndHub'
ufw allow 3001  comment 'allow LndHub HTTPS'
ufw allow 3002  comment 'allow BTC RPC Explorer'
ufw allow 3003  comment 'allow BTC RPC Explorer HTTPS'
ufw allow 3010  comment 'allow RTL'
ufw allow 3011  comment 'allow RTL HTTPS'
ufw allow 3020  comment 'allow Caravan'
ufw allow 3030  comment 'allow Thunderhub'
ufw allow 3031  comment 'allow Thunderhub HTTPS'
ufw allow 3493  comment 'allow Network UPS Tools'
ufw allow 4080  comment 'allow Mempool'
ufw allow 4081  comment 'allow Mempool HTTPS'
ufw allow 5000  comment 'allow LNBits'
ufw allow 5001  comment 'allow LNBits HTTPS'
ufw allow 5010  comment 'allow Warden Terminal'
ufw allow 5011  comment 'allow Warden Terminal HTTPS'
ufw allow 5351  comment 'allow NAT-PMP'
ufw allow 5353  comment 'allow Avahi'
ufw allow 8010:8019/tcp  comment 'allow USB Extras HTTP/HTTPS'
ufw allow 8899  comment 'allow Whirlpool'
ufw allow 9823  comment 'allow CKBunker'
ufw allow 9824  comment 'allow CKBunker HTTPS'
ufw allow 50001 comment 'allow Electrum Server'
ufw allow 50002 comment 'allow Electrum Server'
ufw allow 53001 comment 'allow Sphinx Relay'
ufw allow 56881 comment 'allow myNode QuickSync'
ufw allow 51413 comment 'allow myNode QuickSync'
ufw allow 6771  comment 'allow myNode QuickSync (LPD)'
ufw allow 19999 comment 'allow Netdata'
ufw allow 20000 comment 'allow Netdata HTTPS'
ufw allow 25441 comment 'allow Specter Desktop'
ufw allow 49392 comment 'allow BTCPay Server-direct'
ufw allow 49393 comment 'allow BTCPay Server-direct HTTPS'
ufw allow 51194 comment 'allow VPN'
ufw allow 61208 comment 'allow Glances'
ufw allow 61209 comment 'allow Glances HTTPS'
ufw allow from 127.0.0.1 comment 'allow from localhost'
#ufw allow from ::1 comment 'allow from localhost'

# Allow all local traffic
if [ -f /mnt/hdd/mynode/settings/local_traffic_allowed ]; then
    ufw allow from 10.0.0.0/8
    ufw allow from 192.168.0.0/16
    ufw allow from 172.16.0.0/12
else
    ufw delete allow from 10.0.0.0/8
    ufw delete allow from 192.168.0.0/16
    ufw delete allow from 172.16.0.0/12
fi

# Open ports for additional apps
mynode-manage-apps openports

# Enable UFW
ufw --force enable

# Make sure ufw is enabled at boot
systemctl enable ufw

# Check UFW status
ufw status

# Reload firewall after some time to reset (fixes VPN)
sleep 120s
ufw reload

# We don't really want to exit
sleep 999d
exit 0
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`#!/bin/bash`

			`set -e`
			`set -x`

Use legacy iptables 2020-03-05 04:29:58 +00:00			`# Make sure we are using legacy iptables`
			`update-alternatives --set iptables /usr/sbin/iptables-legacy \|\| true`
			`update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy \|\| true`

Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`# Add default rules`
			`ufw default deny incoming`
			`ufw default allow outgoing`

			`# Add firewall rules`
			`ufw allow 22 comment 'allow SSH'`
			`ufw allow 80 comment 'allow WWW'`
Firewall setup will retry if it fails 2020-03-30 23:19:59 +00:00			`ufw allow 443 comment 'allow Secure WWW'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 1900 comment 'allow SSDP for UPnP discovery'`
Open NAT-PMP port 2022-09-09 03:55:34 +00:00			`ufw allow 2189 comment 'allow UPnP'`
Improve UPNP firewall rules 2021-02-14 17:58:14 +00:00			`ufw allow from 10.0.0.0/8 port 1900 to any comment 'allow UPnP from router'`
			`ufw allow from 192.168.0.0/16 port 1900 to any comment 'allow UPnP from router'`
			`ufw allow from 172.16.0.0/12 port 1900 to any comment 'allow UPnP from router'`
Allow LND watchtower through firewall 2022-03-07 04:06:04 +00:00			`ufw allow 9911 comment 'allow Lightning Watchtower'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 10009 comment 'allow Lightning gRPC'`
			`ufw allow 10080 comment 'allow Lightning REST RPC'`
			`ufw allow 9735 comment 'allow Lightning'`
Add mempool.space 2019-12-23 05:46:42 +00:00			`ufw allow 8332 comment 'allow Bitcoin RPC - filtered by rpcallowip'`
Add Samourai Dojo to MyNode (#143) +added files dojo.service mynode_gen_dojo_config.sh mynode_post_dojo.sh dojo.py dojo.html %modified files mynode_firewall.sh mynode_post_upgrade.sh mynode_stop_critical_services.sh bitcoin.conf enable_disable_functions.py mynode.py apps.html Special thanks to Taylor Helsper for creating MyNode and Merging Dojo Special thanks to BTCxZelko for getting me started with Dojo and assisting with the code. Special thanks to Amiga500 for helping with testing. Co-authored-by: Taylor Helsper <tehelsper@gmail.com> 2020-02-28 01:25:33 +00:00			`ufw allow 8333 comment 'allow Bitcoin mainnet'`
			`ufw allow 18333 comment 'allow Bitcoin testnet'`
			`ufw allow from 172.17.0.0/16 to any port 28332 comment 'allow Dojo zmqrawblock'`
			`ufw allow from 172.28.0.0/16 to any port 28332 comment 'allow Dojo zmqrawblock'`
			`ufw allow from 172.17.0.0/16 to any port 28333 comment 'allow Dojo zmqrawtx'`
			`ufw allow from 172.28.0.0/16 to any port 28333 comment 'allow Dojo zmqrawtx'`
			`ufw allow from 172.17.0.0/16 to any port 28334 comment 'allow Dojo zmqhashblock'`
			`ufw allow from 172.28.0.0/16 to any port 28334 comment 'allow Dojo zmqhashblock'`
Move Corsproxy port for btc rpc from 8334->8335 since bitcoin uses 8334 now 2021-02-10 06:00:38 +00:00			`ufw allow 8335 comment 'allow corsproxy for btc rpc'`
Add Lightning Terminal v0.4.1 (#500) 2021-03-31 03:09:55 +00:00			`ufw allow 8443 comment 'allow Lightning Terminal'`
Add WebSSH Client 2019-11-23 04:27:35 +00:00			`ufw allow 2222 comment 'allow WebSSH2'`
Add HTTPS for Glances, Netdata, WebSSH 2020-08-18 02:33:34 +00:00			`ufw allow 2223 comment 'allow WebSSH2 HTTPS'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 3000 comment 'allow LndHub'`
Open firewall ports for new HTTPS services 2020-08-12 04:22:40 +00:00			`ufw allow 3001 comment 'allow LndHub HTTPS'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 3002 comment 'allow BTC RPC Explorer'`
Open firewall ports for new HTTPS services 2020-08-12 04:22:40 +00:00			`ufw allow 3003 comment 'allow BTC RPC Explorer HTTPS'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 3010 comment 'allow RTL'`
More nginx additions 2020-08-11 04:08:38 +00:00			`ufw allow 3011 comment 'allow RTL HTTPS'`
Add Caravan and a Proxy for handling CORS issues 2020-06-06 01:46:39 +00:00			`ufw allow 3020 comment 'allow Caravan'`
Add thunderhub 2020-07-14 04:50:54 +00:00			`ufw allow 3030 comment 'allow Thunderhub'`
More nginx additions 2020-08-11 04:08:38 +00:00			`ufw allow 3031 comment 'allow Thunderhub HTTPS'`
Open port for NUT 2021-12-19 01:17:58 +00:00			`ufw allow 3493 comment 'allow Network UPS Tools'`
Rename mempoolspace to mempool 2020-03-21 02:56:53 +00:00			`ufw allow 4080 comment 'allow Mempool'`
Add HTTPS for Mempool and BTC Pay Server 2020-08-18 01:27:07 +00:00			`ufw allow 4081 comment 'allow Mempool HTTPS'`
Upgrade to Python 3.7.7; More lnbits foundation 2020-06-26 04:30:17 +00:00			`ufw allow 5000 comment 'allow LNBits'`
More nginx additions 2020-08-11 04:08:38 +00:00			`ufw allow 5001 comment 'allow LNBits HTTPS'`
Add Warden Terminal 2021-12-05 22:11:22 +00:00			`ufw allow 5010 comment 'allow Warden Terminal'`
			`ufw allow 5011 comment 'allow Warden Terminal HTTPS'`
Open NAT-PMP port 2022-09-09 03:55:34 +00:00			`ufw allow 5351 comment 'allow NAT-PMP'`
Open Avahi port 2019-10-05 01:26:48 +00:00			`ufw allow 5353 comment 'allow Avahi'`
Add Opendime Support (#612) 2021-12-29 18:50:03 +00:00			`ufw allow 8010:8019/tcp comment 'allow USB Extras HTTP/HTTPS'`
Whirlpool tweaks 2019-12-26 05:11:29 +00:00			`ufw allow 8899 comment 'allow Whirlpool'`
Install CKBunker v0.9; Install Sphinx Relay v1.3.8 2021-02-10 05:37:43 +00:00			`ufw allow 9823 comment 'allow CKBunker'`
			`ufw allow 9824 comment 'allow CKBunker HTTPS'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 50001 comment 'allow Electrum Server'`
			`ufw allow 50002 comment 'allow Electrum Server'`
Install CKBunker v0.9; Install Sphinx Relay v1.3.8 2021-02-10 05:37:43 +00:00			`ufw allow 53001 comment 'allow Sphinx Relay'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow 56881 comment 'allow myNode QuickSync'`
			`ufw allow 51413 comment 'allow myNode QuickSync'`
			`ufw allow 6771 comment 'allow myNode QuickSync (LPD)'`
Add netdata - first docker container 2019-11-14 02:32:37 +00:00			`ufw allow 19999 comment 'allow Netdata'`
Add HTTPS for Glances, Netdata, WebSSH 2020-08-18 02:33:34 +00:00			`ufw allow 20000 comment 'allow Netdata HTTPS'`
Add Specter; Add beta apps section 2020-07-08 03:13:01 +00:00			`ufw allow 25441 comment 'allow Specter Desktop'`
Update mynode_firewall.sh (#209) 2020-02-23 05:40:19 +00:00			`ufw allow 49392 comment 'allow BTCPay Server-direct'`
Add HTTPS for Mempool and BTC Pay Server 2020-08-18 01:27:07 +00:00			`ufw allow 49393 comment 'allow BTCPay Server-direct HTTPS'`
Initial VPN checkin 2019-08-13 03:29:53 +00:00			`ufw allow 51194 comment 'allow VPN'`
Update mynode_firewall.sh (#209) 2020-02-23 05:40:19 +00:00			`ufw allow 61208 comment 'allow Glances'`
Add HTTPS for Glances, Netdata, WebSSH 2020-08-18 02:33:34 +00:00			`ufw allow 61209 comment 'allow Glances HTTPS'`
Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`ufw allow from 127.0.0.1 comment 'allow from localhost'`
Remove IPv6 rules since ufw defaults to IPv6 disabled 2020-03-05 04:30:35 +00:00			`#ufw allow from ::1 comment 'allow from localhost'`
Whirlpool tweaks 2019-12-26 05:11:29 +00:00
Add firewall toggle for local traffic; Add button to reset watchtower 2022-06-10 04:47:34 +00:00			`# Allow all local traffic`
			`if [ -f /mnt/hdd/mynode/settings/local_traffic_allowed ]; then`
			`ufw allow from 10.0.0.0/8`
			`ufw allow from 192.168.0.0/16`
			`ufw allow from 172.16.0.0/12`
			`else`
			`ufw delete allow from 10.0.0.0/8`
			`ufw delete allow from 192.168.0.0/16`
			`ufw delete allow from 172.16.0.0/12`
			`fi`

Open ports for dynamic apps 2022-04-21 04:07:03 +00:00			`# Open ports for additional apps`
			`mynode-manage-apps openports`

Initial copy to open source repo 2019-06-15 23:02:44 +00:00			`# Enable UFW`
			`ufw --force enable`

			`# Make sure ufw is enabled at boot`
			`systemctl enable ufw`

			`# Check UFW status`
			`ufw status`

Fix VPN issue where firewall needs to restart after VPN is active 2019-08-31 01:17:35 +00:00			`# Reload firewall after some time to reset (fixes VPN)`
			`sleep 120s`
			`ufw reload`

Firewall setup will retry if it fails 2020-03-30 23:19:59 +00:00			`# We don't really want to exit`
			`sleep 999d`
Add Samourai Wallet's Whirlpool (#76) * basic files and pages * Create whirlpool.service * Added Whirlpool port * add openjdk-8-jre * Whirlpool dependencies * updates for PR added line 26 and 27 removed second argument from wget * Whirlpool edit added sudo -u bitcoin * instructions for setting up whirlpool * corrected line 25 sudo -u bitcoin mkdir -p * minor changes in instructions * Create setup_whirlpool.sh * updated instructions and deleted repeated code * Delete setup_whirlpool.sh * Set for future upgrades * renamed whirlpool.jar based on post_install.sh * systemctl enable whirlpool * use black/white whirlpool logo * Update mynode_post_upgrade.sh * Update mynode_post_upgrade.sh * Update bitcoin.conf updated for dojo * Update mynode_post_upgrade.sh * Update mynode_post_upgrade.sh * Update mynode_post_upgrade.sh * Update mynode_post_upgrade.sh * Update mynode_post_upgrade.sh * dojo compatible conf updated for dojo * update Whirlpool-cli to 0.9.2 * Update to whirlpool 0.9.3 Co-authored-by: Abhishek Shandilya <abhiShandy@users.noreply.github.com> Co-authored-by: Taylor Helsper <tehelsper@gmail.com> 2019-12-26 04:38:30 +00:00			`exit 0`