From ea98693fb8d01a22fd7b2479e8da865f4502a1bc Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Tue, 20 Jan 2026 00:03:59 -0600
Subject: fix(archsetup): remove unnecessary firewall ports

Remove ports for services not installed:
- 80,443,8080/tcp (no web server)
- 9040,9050,9051,9053,9119/tcp (Tor relay - only client installed)
- 443/tcp limit (no HTTPS service)

Add inline comments documenting each port's purpose.
---
 archsetup | 33 +++++++++++----------------------
 1 file changed, 11 insertions(+), 22 deletions(-)

(limited to 'archsetup')

diff --git a/archsetup b/archsetup
index d87edcc..275068d 100755
--- a/archsetup
+++ b/archsetup
@@ -798,46 +798,35 @@ EOF
     action="starting fail2ban service" && display "task" "$action"
     systemctl start fail2ban >> "$logfile" 2>&1 || error "error" "$action" "$?"
 
-    # Firewall
-
-    # deny all connections by default, then allow the following:
-    # http/s                    : 80/tcp, 443/tcp
-    # tor                       : 9040,9050,9051,9053,9119/tcp
-    # email                     : IMAP, IMAPS
-    # mDNS printer discovery    : 5353/udp
-    # ssh                       : ssh
-    # syncthing                 : 22000/tcp, 22000/udp, 21027/udp
-    # torrents                  : transmission
-    # calibre content server    : 8080/tcp
-    # warpinator transfers      : 42000/tcp, 42000/udp
-    # warpinator registration   : 42000/tcp, 42000/udp
-    # warpinator zeroconf       : 5353/tcp, 5353/udp
-
     display "subtitle" "Firewall"
     pacman_install ufw
 
     action="configuring ufw to deny by default" && display "task" "$action"
     ufw default deny incoming >> "$logfile" 2>&1 || error "error" "$action" "$?"
 
+    # Firewall rules - only open ports for services we actually run
     for protocol in \
-        "80,443,8080/tcp" \
-            "9040,9050,9051,9053,9119/tcp" \
             "IMAP" "IMAPS" \
             "ssh" \
             "22000/tcp" "22000/udp" "21027/udp" \
-            "42001/tcp" "42001/udp" \
             "42000/tcp" "42000/udp" \
+            "42001/tcp" "42001/udp" \
             "5353/tcp" "5353/udp" \
             "transmission" \
         ; do
+        # IMAP/IMAPS: Thunderbird email client
+        # ssh: OpenSSH server
+        # 22000/tcp,udp + 21027/udp: Syncthing file sync
+        # 42000/tcp,udp: Warpinator file transfers
+        # 42001/tcp,udp: Warpinator registration/auth
+        # 5353/tcp,udp: mDNS/Avahi local network discovery
+        # transmission: BitTorrent client
         action="adding ufw rule to allow $protocol" && display "task" "$action"
         (ufw allow "$protocol"  >> "$logfile" 2>&1) || error "error" "$action" "$?"
     done
 
-    action="adding limits to protect from brute force attacks" && display "task" "$action"
-    (ufw limit 22/tcp  >> "$logfile" 2>&1 && \
-         ufw limit 443/tcp >> "$logfile" 2>&1) || \
-        error "error" "$action" "$?"
+    action="rate-limiting SSH to protect from brute force attacks" && display "task" "$action"
+    (ufw limit 22/tcp >> "$logfile" 2>&1) || error "error" "$action" "$?"
 
     action="enabling firewall service to launch on boot" && display "task" "$action"
     systemctl enable ufw.service >> "$logfile" 2>&1  || error "error" "$action" "$?"
-- 
cgit v1.2.3