Skip to content

Instantly share code, notes, and snippets.

@auipga
Created May 13, 2017 04:55
Show Gist options
  • Save auipga/01fa85b60dc5b87a2ea354e69fe75dea to your computer and use it in GitHub Desktop.
Save auipga/01fa85b60dc5b87a2ea354e69fe75dea to your computer and use it in GitHub Desktop.
Help configuring ufw for Resilio Sync (rslsync)
#!/bin/bash
# Author: https://gist.github.com/auipga/
# Based on:
# Sync (outdated?): https://kb-archive.getsync.com/kbs/1.3.5/kb/hc/en-us/articles/210153106-Ports-and-protocols-used-by-Resilio-Connect.html
# Resilio Connect: https://help.getsync.com/hc/en-us/articles/204754759-What-ports-and-protocols-are-used-by-Sync-
# todo: read sync.conf from resilio server, parse json, fill IPs dynamically
# todo: delete duplicate rules as 'host' returns multiple IPs for resilios domains
# todo: detect installed Sync version and handle >2.3 and >=2.4 automatically or Resilio Connect. (if possible)
# Check dependencies
which rslsync 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "Resilio Sync is not installed or at least not in \$PATH."; exit 1; fi;
which ufw 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script is designed to use with Uncomplicated Firewall (ufw)."; exit 1; fi;
which host 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of the host command. Please install dnsutils."; exit 1; fi;
#which netstat 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of the netstat command. Please install net-tools."; exit 1; fi;
#which wget 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of wget. Please install wget."; exit 1; fi;
#which jq 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of jq (https://stedolan.github.io/jq/). Please install jq."; exit 1; fi;
# check for root
if [[ "$EUID" -ne 0 ]]; then
echo "ERROR: You need to be root to run this script"
exit
fi
# check for cupport for comments
# comments for ufw rules are supported since version 0.35
ufw_version=$(ufw version | head | head -1 | cut -d' ' -f2 | cut -d'-' -f1 | cut -d'.' -f2)
if [ $ufw_version -ge 35 ]; then
supports_comment=1;
else
supports_comment=0;
fi
resolveIP() {
ip=$(host $1 | awk '/has address/ { print $4 ; exit }');
}
allow() {
echo "Firewall rule(s) for $1:"
for i in "${@:2}"; do echo " * $i"; done;
if [[ $default -eq 1 ]]; then
read -p "Do you want to apply this? [Y/n] " -n 1 -r
else
read -p "Do you want to apply this? [y/N] " -n 1 -r
fi
if [[ ! -z $REPLY ]]; then echo; fi;
if [[ $REPLY =~ ^[Yy]$ || (-z $REPLY && $default -eq 1 ) ]]; then
for i in "${@:2}"; do
if [ $supports_comment -eq 1 ]; then
ufw allow $i comment "rslsync: $1";
else
ufw allow $i;
fi
done;
else
echo Skipped \"$1\".
fi
echo; echo;
}
ask_allow_y() {
default=1;
allow "$@";
}
ask_allow_n() {
default=0;
allow "$@";
}
# Web interface
# Default: 8888
# Preferences -> Web UI -> Connection -> Listening Port (/etc/resilio-sync/config.json -> webui.listen)
ask_allow_y "Web interface" "8888/tcp";
# Discovery of tracker and (only for Sync) relay IPs:
# Sync version 2.4: HTTP, port 80 to config.usyncapp.com (via DNS name) (http://config.getsync.com/sync.conf)
resolveIP 'config.getsync.com';
ask_allow_y "config" "proto tcp to $ip port 80"
# Sync version 2.3: HTTP, port 80 to config.usyncapp.com (via DNS name) (http://config.usyncapp.com/sync.conf)
resolveIP 'config.usyncapp.com';
ask_allow_n "config" "proto tcp to $ip port 80"
# Resilio Connect: HTTP port 80 to connect-config.resilio.com (via DNS name) (http://connect-config.resilio.com/sync.conf)
resolveIP 'connect-config.resilio.com';
ask_allow_n "connect-config" "proto tcp to $ip port 80"
# Connecting to the tracker server for automatic peer discovery
ask_allow_y "Tracker server / peer discovery" "to 173.244.217.42 port 4000" "to 209.95.56.60 port 4000"
# [!] Only for Sync, not Resilio Connect
# Connecting to relay server to transfer data if direct connection is not possible:
# TCP and UDP ports 3000 and 3001 to 173.244.209.150, 107.182.230.198
# Latest IPs can be found here:
# * http://config.getsync.com/sync.conf (Sync version 2.4)
# * http://config.usyncapp.com/sync.conf (Sync version 2.3)
ask_allow_n "Relay server" "proto tcp to 173.244.209.150 port 3000,3001" "proto udp to 173.244.209.150 port 3000,3001" "proto tcp to 107.182.230.198 port 3000,3001" "proto udp to 107.182.230.198 port 3000,3001"
# Direct connection to transfer data and listen for incoming connections:
# TCP and UDP listening port as defined in Sync Preferences -> Advanced -> Connection -> Listening Port
ask_allow_y "Direct connection" "3839"
# Peer discovery in LAN
# Multicast UDP 239.192.0.0 over port 3838
#ask_allow_n "LAN discovery" "foobar_not_yet_implemented from any to 239.192.0.0/16 port 3838"
# Automatic port mapping over UPnP and NAT-PMP
# UDP multicast to 239.255.255.250 port 1900
# UDP unicast to default gateway port 5351
#ask_allow_n "Automatic port mapping" "foobar_not_yet_implemented proto udp from any to 239.255.255.250 port 1900" "proto udp from any to [gateway IP] port 5351
# which ports does my instance of Resilio Sync use?
#netstat -tlpu | grep rslsync
# there should be 2 entries, the web interface (default: 8888) and
# get Sync version
#sync_version=$(rslsync --help | head -2 | tail -1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment