diff --git a/manjaro.sh b/manjaro.sh old mode 100644 new mode 100755 index 840e429..647916f --- a/manjaro.sh +++ b/manjaro.sh @@ -1,9 +1,5 @@ -# firewall -sudo ufw enable -sudo ufw allow 22/tcp comment "ssh" -sudo ufw allow 80/tcp comment "web" -sudo ufw allow 443/tcp comment "websecure" -sudo ufw allow 10000:10100/tcp comment "generic" +#!/bin/sh +set -e # general sudo systemctl enable --now sshd.service @@ -32,16 +28,9 @@ yay syncthings rclone sudo systemctl enable --now syncthing@hjalmarlucius.service systemctl --user daemon-reload systemctl --user enable --now rclone-gdrive.service -sudo ufw allow 22000,21027/udp comment "syncthing" -sudo ufw allow to 224.0.0.0/4 comment "Multicast" # docker incl non-root daemon yay docker docker-compose dry-bin nvidia-docker docker-buildx -sudo ufw allow 2376/tcp comment "Docker" -sudo ufw allow 2377/tcp comment "Docker" -sudo ufw allow 4789/udp comment "Docker" -sudo ufw allow 7946/udp comment "Docker" -sudo ufw allow 7946/tcp comment "Docker" sudo groupadd docker && sudo usermod -aG docker $USER sudo systemctl enable --now containerd.service sudo systemctl enable --now docker.service @@ -59,14 +48,11 @@ yay zathura zathura-pdf-mupdf zathura-djvu zathura-ps yay noto-fonts-emoji ttf-hack # browser -yay qutebrowser pdfjs bitwarden-cli # zerotier yay zerotier-one sudo systemctl enable --now zerotier-one.service sudo zerotier-cli join d5e5fb653797795b -sudo ufw allow from 9993/udp comment "zerotier" -sudo ufw allow from 172.30.0.0/16 comment "zerotier" # coolercontrol yay coolercontrol @@ -76,20 +62,17 @@ sudo systemctl edit coolercontrold.service # set log level to WARN # video streaming yay plex-media-server sudo systemctl enable --now plexmediaserver.service -sudo ufw allow 8010 comment "chromecast" -sudo ufw allow 32400/tcp comment "plex" -sudo ufw allow 1900/udp comment "plex DLNA server" -sudo ufw allow 32469/tcp comment "plex DLNA server" -sudo ufw allow 32410,32412,32413,32414/udp comment "plex GDM discovery" -# steam -yay steam -sudo ufw allow 27031,27036/udp comment "Steam Link" -sudo ufw allow 27036,27037/tcp comment "Steam Link" - -# qbittorrent -yay qbittorrent -sudo ufw allow 6881/tcp comment "qbittorrent" - -# applications -yay i3status rofi mutt redshift discord teamviewer qalculate cmus ncspot +# div applications +yay i3status \ + rofi \ + mutt \ + redshift \ + discord \ + teamviewer \ + zerotier-one \ + qalculate \ + cmus \ + ncspot \ + steam \ + qbittorrent diff --git a/ufw.sh b/ufw.sh new file mode 100755 index 0000000..2156c74 --- /dev/null +++ b/ufw.sh @@ -0,0 +1,44 @@ +#!/bin/sh +set -e + +ZEROTIER_HJARL="172.30.0.0/255.255.0.0" + +ufw disable +ufw reset +ufw default deny incoming +ufw default allow outgoing +ufw allow "SSH" +ufw allow "qBittorrent" +ufw allow "syncthing" +ufw allow "WWW Full" + +ufw allow in 10000:10100/tcp comment "generic" + +# docker +ufw allow in 2376,2377,7946/tcp comment "Docker tcp" +ufw allow in 4789,7946/udp comment "Docker udp" + +# multicast +ufw allow in proto igmp to 224.0.0.0/8 comment "multicast" + +# zerotier +ufw allow in 9993/udp comment "zerotier" +ufw allow in from $ZEROTIER_HJARL comment "zerotier hjarl network" + +# plex +ufw allow in 1900/udp comment "upnp service discovery" +ufw allow in 32400/tcp comment "plex" +ufw allow in 32410,32412:32414/udp comment "plex GDM network discovery" +ufw allow in 32469/tcp comment "plex DLNA server" +ufw allow in from 192.168.0.0/16 to any port 32768:61000 proto udp comment "ephemeral ports" + +# steam link +ufw allow in 27036,27037/tcp comment "Steam Link tcp" +ufw allow in 27031,27036/udp comment "Steam Link udp" + +# enable firewall +ufw enable + +# list all firewall rules +ufw status verbose +