diff options
| author | Craig Jennings <c@cjennings.net> | 2026-01-21 18:46:37 -0600 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-01-21 18:46:37 -0600 |
| commit | 40e43c925453efc294a0ac9b37e92c64e8e54b4b (patch) | |
| tree | bbcf388dc49ffadb055d14326025f43824473f4d | |
| parent | fbc9f4ae8e8f70a955359121e0852c83bd8b7b36 (diff) | |
fix(archsetup): add firewall validation with critical warning
- Verify ufw is active after setup completes
- Display critical security warning in outro if firewall not active
- Include manual fix commands in warning message
| -rwxr-xr-x | archsetup | 21 | ||||
| -rw-r--r-- | todo.org | 5 |
2 files changed, 25 insertions, 1 deletions
@@ -105,6 +105,7 @@ archsetup_packages="/var/log/archsetup-installed-packages.txt" min_disk_space_gb=20 state_dir="/var/lib/archsetup/state" error_messages=() +firewall_verified=false ### Cleanup Trap # Ensures tmpfs is unmounted if script exits unexpectedly @@ -847,6 +848,14 @@ EOF action="starting firewall service" && display "task" "$action" systemctl start ufw.service >> "$logfile" 2>&1 || error "error" "$action" "$?" + # Verify firewall is actually active + action="verifying firewall is active" && display "task" "$action" + if ufw status | grep -q "Status: active"; then + firewall_verified=true + else + error "error" "firewall verification failed - ufw is not active" "1" + fi + # Service Discovery display "subtitle" "Network Service Discovery" @@ -1697,6 +1706,18 @@ outro() { done fi + # Critical security warning if firewall setup failed + if [ "$firewall_verified" != "true" ]; then + printf "\n" | tee -a "$logfile" + printf "!!! CRITICAL SECURITY WARNING !!!\n" | tee -a "$logfile" + printf "!!! FIREWALL IS NOT ACTIVE !!!\n" | tee -a "$logfile" + printf "Your system may be unprotected. Please run these commands manually:\n" | tee -a "$logfile" + printf " sudo ufw default deny incoming\n" | tee -a "$logfile" + printf " sudo ufw enable\n" | tee -a "$logfile" + printf " sudo ufw status\n" | tee -a "$logfile" + printf "\n" | tee -a "$logfile" + fi + printf "\n" printf "Please reboot before working with your new workstation.\n\n" @@ -218,9 +218,12 @@ CLOSED: [2025-11-13 Wed] FTP download issue resolved - figlet-fonts 1.1-1 successfully installs in VM test *** TODO [#B] Improve error handling: UFW firewall, rmmod pcspkr, mkdir missing quotes -**** TODO [#B] Fix UFW firewall error handling (archsetup:395,410) +**** DONE [#B] Fix UFW firewall error handling (archsetup:395,410) +CLOSED: [2026-01-21 Wed] Firewall failures use ~|| error "error"~ which logs but continues - system may be left exposed Should use ~|| error "crash"~ or validate rules were applied successfully +RESOLVED: Added firewall verification after setup (checks "ufw status | grep Status: active"). +If verification fails, displays CRITICAL SECURITY WARNING in outro with manual fix commands. **** DONE [#B] Fix rmmod pcspkr error (archsetup:588) CLOSED: [2026-01-21 Wed] ~rmmod pcspkr~ doesn't check if module is loaded, produces error if already unloaded |