add firewalld config file

bookworm/pepbld.sh

@@ -55,6 +55,7 @@ mkdir -p $uchinanchu/fusato/config/includes.chroot/boot/grub
 mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/default
 mkdir -p $uchinanchu/fusato/config/includes.installer/usr/share
 mkdir -p $uchinanchu/fusato/config/includes.chroot/etc
+mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
 
 # Install software
 echo "#Install system packages.
@@ -88,7 +89,7 @@ gvfs-backends
 cp $uchinanchu/pepgrub/grub $uchinanchu/fusato/config/includes.chroot/etc/default
 cp $uchinanchu/pephooks/normal/* $uchinanchu/fusato/config/hooks/normal
 cp $uchinanchu/peprepo/* $uchinanchu/fusato/config/archives
-#cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc
+cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
 cp $uchinanchu/pepinstaller/preseed/preseed.cfg $uchinanchu/fusato/config/includes.installer
 
 

daedalus/pepbld.sh

@@ -64,6 +64,7 @@ mkdir -p $uchinanchu/fusato/config/includes.chroot/boot/grub
 mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/default
 mkdir -p $uchinanchu/fusato/config/includes.installer/usr/share
 mkdir -p $uchinanchu/fusato/config/includes.chroot/etc
+mkdir -p $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
 
 # Install software
 echo "#Install system packages.
@@ -95,7 +96,7 @@ podman
 cp $uchinanchu/pepgrub/grub $uchinanchu/fusato/config/includes.chroot/etc/default
 cp $uchinanchu/pephooks/normal/* $uchinanchu/fusato/config/hooks/normal
 cp $uchinanchu/peprepo/* $uchinanchu/fusato/config/archives
-cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc
+cp $uchinanchu/pepfirewall/* $uchinanchu/fusato/config/includes.chroot/etc/firewalld/zones
 cp $uchinanchu/pepinstaller/preseed/preseed.cfg $uchinanchu/fusato/config/includes.installer
 
 

pepfirewall/nftables.conf

@@ -1,65 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
-
-       chain inbound_ipv4 {
-        # accepting ping (icmp-echo-request) for diagnostic purposes.
-        # However, it also lets probes discover this host is alive.
-        # This sample accepts them within a certain rate limit:
-        #
-        # icmp type echo-request limit rate 5/second accep
-        }
-
-       chain inbound_ipv6 {
-        # accept neighbour discovery otherwise connectivity breaks
-        #
-        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
-
-        # accepting ping (icmpv6-echo-request) for diagnostic purposes.
-        # However, it also lets probes discover this host is alive.
-        # This sample accepts them within a certain rate limit:
-        #
-        # icmpv6 type echo-request limit rate 5/second accept
-        }
-
-       chain inbound {
-
-        # By default, drop all traffic unless it meets a filter
-        # criteria specified by the rules that follow below.
-        type filter hook input priority 0; policy drop;
-
-        # Allow traffic from established and related packets, drop invalid
-        ct state vmap { established : accept, related : accept, invalid : drop } 
-
-        # Allow loopback traffic.
-        iifname lo accept
-
-        # Jump to chain according to layer 3 protocol using a verdict map
-        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
-
-        # Allow SSH on port TCP/22 and allow HTTP(S) TCP/80 and TCP/443
-        # for IPv4 and IPv6.
-        tcp dport { 22, 80, 443, 9090 } accept
-
-        # Uncomment to enable logging of denied inbound traffic
-        # log prefix "[nftables] Inbound Denied: " counter drop
-        }
-
-    chain forward {
-        # Drop everything (assumes this device is not a router)
-        type filter hook forward priority 0; policy drop;
-        }
-        chain input {
-                type filter hook input priority 0;
-        }
-        chain forward {
-                type filter hook forward priority 0;
-        }
-        chain output {
-                type filter hook output priority 0;
-        }
-}
-
-

pepfirewall/public.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Public</short>
+  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="ssh"/>
+  <service name="dhcpv6-client"/>
+  <service name="cockpit"/>
+  <service name="dhcpv6"/>
+  <service name="dhcp"/>
+  <service name="dns"/>
+  <service name="https"/>
+  <service name="http"/>
+  <port port="9090" protocol="tcp"/>
+  <port port="22" protocol="tcp"/>
+  <port port="80" protocol="tcp"/>
+  <port port="443" protocol="tcp"/>
+  <forward/>
+</zone>

pephooks/normal/0680-open-firewalld-ports.hook.chroot

@@ -1,19 +0,0 @@
-#!/bin/bash
-
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# SPDX-FileCopyrightText:  2023 PeppemrintOS Team  (peppermintosteam@proton.me)
-
-# Define the ports you want to open
-PORTS=("80/tcp" "22/tcp" "9090/tcp" "443/tcp")
-
-# Check if firewalld is running
-if systemctl is-active --quiet firewalld; then
-  # Add the specified ports
-  for PORT in "${PORTS[@]}"; do
-    firewall-cmd --add-port="$PORT" --permanent
-  done
-  
-  # Reload the firewall rules to apply the changes
-  firewall-cmd --reload
-fi