ufw.sh

manjaro.sh

@@ -1,9 +1,5 @@
-# firewall
+#!/bin/sh
-sudo ufw enable
+set -e
-sudo ufw allow 22/tcp comment "ssh"
-sudo ufw allow 80/tcp comment "web"
-sudo ufw allow 443/tcp comment "websecure"
-sudo ufw allow 10000:10100/tcp comment "generic"
 
 # general
 sudo systemctl enable --now sshd.service
@@ -32,16 +28,9 @@ yay syncthings rclone
 sudo systemctl enable --now syncthing@hjalmarlucius.service
 systemctl --user daemon-reload
 systemctl --user enable --now rclone-gdrive.service
-sudo ufw allow 22000,21027/udp comment "syncthing"
-sudo ufw allow to 224.0.0.0/4 comment "Multicast"
 
 # docker incl non-root daemon
 yay docker docker-compose dry-bin nvidia-docker docker-buildx
-sudo ufw allow 2376/tcp comment "Docker"
-sudo ufw allow 2377/tcp comment "Docker"
-sudo ufw allow 4789/udp comment "Docker"
-sudo ufw allow 7946/udp comment "Docker"
-sudo ufw allow 7946/tcp comment "Docker"
 sudo groupadd docker && sudo usermod -aG docker $USER
 sudo systemctl enable --now containerd.service
 sudo systemctl enable --now docker.service
@@ -59,14 +48,11 @@ yay zathura zathura-pdf-mupdf zathura-djvu zathura-ps
 yay noto-fonts-emoji ttf-hack
 
 # browser
-yay qutebrowser pdfjs bitwarden-cli
 
 # zerotier
 yay zerotier-one
 sudo systemctl enable --now zerotier-one.service
 sudo zerotier-cli join d5e5fb653797795b
-sudo ufw allow from 9993/udp comment "zerotier"
-sudo ufw allow from 172.30.0.0/16 comment "zerotier"
 
 # coolercontrol
 yay coolercontrol
@@ -76,20 +62,17 @@ sudo systemctl edit coolercontrold.service  # set log level to WARN
 # video streaming
 yay plex-media-server
 sudo systemctl enable --now plexmediaserver.service
-sudo ufw allow 8010 comment "chromecast"
-sudo ufw allow 32400/tcp comment "plex"
-sudo ufw allow 1900/udp comment "plex DLNA server"
-sudo ufw allow 32469/tcp comment "plex DLNA server"
-sudo ufw allow 32410,32412,32413,32414/udp comment "plex GDM discovery"
 
-# steam
+# div applications
-yay steam
+yay i3status \
-sudo ufw allow 27031,27036/udp comment "Steam Link"
+    rofi \
-sudo ufw allow 27036,27037/tcp comment "Steam Link"
+    mutt \
-
+    redshift \
-# qbittorrent
+    discord \
-yay qbittorrent
+    teamviewer \
-sudo ufw allow 6881/tcp comment "qbittorrent"
+    zerotier-one \
-
+    qalculate \
-# applications
+    cmus \
-yay i3status rofi mutt redshift discord teamviewer qalculate cmus ncspot
+    ncspot \
+    steam \
+    qbittorrent

ufw.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+set -e
+
+ZEROTIER_HJARL="172.30.0.0/255.255.0.0"
+
+ufw disable
+ufw reset
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow "SSH"
+ufw allow "qBittorrent"
+ufw allow "syncthing"
+ufw allow "WWW Full"
+
+ufw allow in 10000:10100/tcp comment "generic"
+
+# docker
+ufw allow in 2376,2377,7946/tcp comment "Docker tcp"
+ufw allow in 4789,7946/udp comment "Docker udp"
+
+# multicast
+ufw allow in proto igmp to 224.0.0.0/8 comment "multicast"
+
+# zerotier
+ufw allow in 9993/udp comment "zerotier"
+ufw allow in from $ZEROTIER_HJARL comment "zerotier hjarl network"
+
+# plex
+ufw allow in 1900/udp comment "upnp service discovery"
+ufw allow in 32400/tcp comment "plex"
+ufw allow in 32410,32412:32414/udp comment "plex GDM network discovery"
+ufw allow in 32469/tcp comment "plex DLNA server"
+ufw allow in from 192.168.0.0/16 to any port 32768:61000 proto udp comment "ephemeral ports"
+
+# steam link
+ufw allow in 27036,27037/tcp comment "Steam Link tcp"
+ufw allow in 27031,27036/udp comment "Steam Link udp"
+
+# enable firewall
+ufw enable
+
+# list all firewall rules
+ufw status verbose
+