netravnen/rslsync-ufw.sh

## rslsync-ufw.sh
#!/bin/bash

# Author: https://gist.github.com/auipga/

# Based on:
# Sync (outdated?): https://kb-archive.getsync.com/kbs/1.3.5/kb/hc/en-us/articles/210153106-Ports-and-protocols-used-by-Resilio-Connect.html
# Resilio Connect: https://help.getsync.com/hc/en-us/articles/204754759-What-ports-and-protocols-are-used-by-Sync-

# todo: read sync.conf from resilio server, parse json, fill IPs dynamically
# todo: delete duplicate rules as 'host' returns multiple IPs for resilios domains
# todo: detect installed Sync version and handle >2.3 and >=2.4 automatically or Resilio Connect. (if possible)

# Check dependencies
which rslsync 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "Resilio Sync is not installed or at least not in \$PATH."; exit 1; fi;
which ufw     1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script is designed to use with Uncomplicated Firewall (ufw)."; exit 1; fi;
which host    1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of the host command. Please install dnsutils."; exit 1; fi;
#which netstat 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of the netstat command. Please install net-tools."; exit 1; fi;
#which wget    1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of wget. Please install wget."; exit 1; fi;
#which jq      1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of jq (https://stedolan.github.io/jq/). Please install jq."; exit 1; fi;

# check for root
if [[ "$EUID" -ne 0 ]]; then
  echo "ERROR: You need to be root to run this script"
  exit
fi

# check for cupport for comments
# comments for ufw rules are supported since version 0.35
ufw_version=$(ufw version | head | head -1 | cut -d' ' -f2 | cut -d'-' -f1 | cut -d'.' -f2)
if [ $ufw_version -ge 35 ]; then
	supports_comment=1;
else
	supports_comment=0;
fi

resolveIP() {
	ip=$(host $1 | awk '/has address/ { print $4 ; exit }');
}
allow() {
	echo "Firewall rule(s) for $1:"
	for i in "${@:2}"; do echo " * $i"; done;

	if [[ $default -eq 1 ]]; then
		read -p "Do you want to apply this? [Y/n] " -n 1 -r
	else
		read -p "Do you want to apply this? [y/N] " -n 1 -r
	fi

	if [[ ! -z $REPLY ]]; then echo; fi;

	if [[ $REPLY =~ ^[Yy]$ || (-z $REPLY && $default -eq 1 ) ]]; then
		for i in "${@:2}"; do
			if [ $supports_comment -eq 1 ]; then
				ufw allow $i comment "rslsync: $1";
			else
				ufw allow $i;
			fi
		done;
	else
		echo Skipped \"$1\".
	fi
	echo; echo;
}
ask_allow_y() {
	default=1;
	allow "$@";
}
ask_allow_n() {
	default=0;
	allow "$@";
}


# Web interface
# Default: 8888
# Preferences -> Web UI -> Connection -> Listening Port (/etc/resilio-sync/config.json -> webui.listen)
ask_allow_y "Web interface" "8888/tcp";

# Discovery of tracker and (only for Sync) relay IPs:
# Sync version 2.4: HTTP, port 80 to config.usyncapp.com (via DNS name) (http://config.getsync.com/sync.conf)
resolveIP 'config.getsync.com';
ask_allow_y "config" "proto tcp to $ip port 80"
# Sync version 2.3: HTTP, port 80 to config.usyncapp.com (via DNS name) (http://config.usyncapp.com/sync.conf)
resolveIP 'config.usyncapp.com';
ask_allow_n "config" "proto tcp to $ip port 80"
# Resilio Connect:  HTTP port 80 to connect-config.resilio.com (via DNS name) (http://connect-config.resilio.com/sync.conf)
resolveIP 'connect-config.resilio.com';
ask_allow_n "connect-config" "proto tcp to $ip port 80"

# Connecting to the tracker server for automatic peer discovery
ask_allow_y "Tracker server / peer discovery" "to 66.165.233.194 port 4000" "to 2604:4500:9:58::10 port 4000"  "to 23.111.157.86 port 4000" "to 2604:4500:5:245::10 port 4000"

# [!] Only for Sync, not Resilio Connect
# Connecting to relay server to transfer data if direct connection is not possible:
# TCP and UDP ports 3000 and 3001 to 173.244.209.150, 107.182.230.198
# Latest IPs can be found here:
#  * http://config.getsync.com/sync.conf (Sync version 2.4)
#  * http://config.usyncapp.com/sync.conf (Sync version 2.3)
ask_allow_n "Relay server" "proto tcp to 66.206.5.74 port 3000,3001" "proto udp to 66.165.255.194 port 3000,3001" "proto tcp to 2604:4500:3:80::10 port 3000,3001" "proto udp to 2604:4500:8:24a::10 port 3000,3001"

# Direct connection to transfer data and listen for incoming connections:
# TCP and UDP listening port as defined in Sync Preferences -> Advanced -> Connection -> Listening Port
ask_allow_y "Direct connection" "3839"

# Peer discovery in LAN
# Multicast UDP 239.192.0.0 over port 3838
#ask_allow_n "LAN discovery" "foobar_not_yet_implemented from any to 239.192.0.0/16 port 3838"

# Automatic port mapping over UPnP and NAT-PMP
# UDP multicast to 239.255.255.250 port 1900
# UDP unicast to default gateway port 5351
#ask_allow_n "Automatic port mapping" "foobar_not_yet_implemented proto udp from any to 239.255.255.250 port 1900" "proto udp from any to [gateway IP] port 5351


# which ports does my instance of Resilio Sync use?
#netstat -tlpu | grep rslsync
# there should be 2 entries, the web interface (default: 8888) and

# get Sync version
#sync_version=$(rslsync --help | head -2 | tail -1)
	#!/bin/bash

	# Author: https://gist.github.com/auipga/

	# Based on:
	# Sync (outdated?): https://kb-archive.getsync.com/kbs/1.3.5/kb/hc/en-us/articles/210153106-Ports-and-protocols-used-by-Resilio-Connect.html
	# Resilio Connect: https://help.getsync.com/hc/en-us/articles/204754759-What-ports-and-protocols-are-used-by-Sync-

	# todo: read sync.conf from resilio server, parse json, fill IPs dynamically
	# todo: delete duplicate rules as 'host' returns multiple IPs for resilios domains
	# todo: detect installed Sync version and handle >2.3 and >=2.4 automatically or Resilio Connect. (if possible)

	# Check dependencies
	which rslsync 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "Resilio Sync is not installed or at least not in \$PATH."; exit 1; fi;
	which ufw 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script is designed to use with Uncomplicated Firewall (ufw)."; exit 1; fi;
	which host 1>/dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of the host command. Please install dnsutils."; exit 1; fi;
	#which netstat 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of the netstat command. Please install net-tools."; exit 1; fi;
	#which wget 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of wget. Please install wget."; exit 1; fi;
	#which jq 1> /dev/null 2>&1; if [ $? -eq 1 ]; then echo "This script makes use of jq (https://stedolan.github.io/jq/). Please install jq."; exit 1; fi;

	# check for root
	if [[ "$EUID" -ne 0 ]]; then
	echo "ERROR: You need to be root to run this script"
	exit
	fi

	# check for cupport for comments
	# comments for ufw rules are supported since version 0.35
	ufw_version=$(ufw version \| head \| head -1 \| cut -d' ' -f2 \| cut -d'-' -f1 \| cut -d'.' -f2)
	if [ $ufw_version -ge 35 ]; then
	supports_comment=1;
	else
	supports_comment=0;
	fi

	resolveIP() {
	ip=$(host $1 \| awk '/has address/ { print $4 ; exit }');
	}
	allow() {
	echo "Firewall rule(s) for $1:"
	for i in "${@:2}"; do echo " * $i"; done;

	if [[ $default -eq 1 ]]; then
	read -p "Do you want to apply this? [Y/n] " -n 1 -r
	else
	read -p "Do you want to apply this? [y/N] " -n 1 -r
	fi

	if [[ ! -z $REPLY ]]; then echo; fi;

	if [[ $REPLY =~ ^[Yy]$ \|\| (-z $REPLY && $default -eq 1 ) ]]; then
	for i in "${@:2}"; do
	if [ $supports_comment -eq 1 ]; then
	ufw allow $i comment "rslsync: $1";
	else
	ufw allow $i;
	fi
	done;
	else
	echo Skipped \"$1\".
	fi
	echo; echo;
	}
	ask_allow_y() {
	default=1;
	allow "$@";
	}
	ask_allow_n() {
	default=0;
	allow "$@";
	}


	# Web interface
	# Default: 8888
	# Preferences -> Web UI -> Connection -> Listening Port (/etc/resilio-sync/config.json -> webui.listen)
	ask_allow_y "Web interface" "8888/tcp";

	# Discovery of tracker and (only for Sync) relay IPs:
	# Sync version 2.4: HTTP, port 80 to config.usyncapp.com (via DNS name) (http://config.getsync.com/sync.conf)
	resolveIP 'config.getsync.com';
	ask_allow_y "config" "proto tcp to $ip port 80"
	# Sync version 2.3: HTTP, port 80 to config.usyncapp.com (via DNS name) (http://config.usyncapp.com/sync.conf)
	resolveIP 'config.usyncapp.com';
	ask_allow_n "config" "proto tcp to $ip port 80"
	# Resilio Connect: HTTP port 80 to connect-config.resilio.com (via DNS name) (http://connect-config.resilio.com/sync.conf)
	resolveIP 'connect-config.resilio.com';
	ask_allow_n "connect-config" "proto tcp to $ip port 80"

	# Connecting to the tracker server for automatic peer discovery
	ask_allow_y "Tracker server / peer discovery" "to 66.165.233.194 port 4000" "to 2604:4500:9:58::10 port 4000" "to 23.111.157.86 port 4000" "to 2604:4500:5:245::10 port 4000"

	# [!] Only for Sync, not Resilio Connect
	# Connecting to relay server to transfer data if direct connection is not possible:
	# TCP and UDP ports 3000 and 3001 to 173.244.209.150, 107.182.230.198
	# Latest IPs can be found here:
	# * http://config.getsync.com/sync.conf (Sync version 2.4)
	# * http://config.usyncapp.com/sync.conf (Sync version 2.3)
	ask_allow_n "Relay server" "proto tcp to 66.206.5.74 port 3000,3001" "proto udp to 66.165.255.194 port 3000,3001" "proto tcp to 2604:4500:3:80::10 port 3000,3001" "proto udp to 2604:4500:8:24a::10 port 3000,3001"

	# Direct connection to transfer data and listen for incoming connections:
	# TCP and UDP listening port as defined in Sync Preferences -> Advanced -> Connection -> Listening Port
	ask_allow_y "Direct connection" "3839"

	# Peer discovery in LAN
	# Multicast UDP 239.192.0.0 over port 3838
	#ask_allow_n "LAN discovery" "foobar_not_yet_implemented from any to 239.192.0.0/16 port 3838"

	# Automatic port mapping over UPnP and NAT-PMP
	# UDP multicast to 239.255.255.250 port 1900
	# UDP unicast to default gateway port 5351
	#ask_allow_n "Automatic port mapping" "foobar_not_yet_implemented proto udp from any to 239.255.255.250 port 1900" "proto udp from any to [gateway IP] port 5351


	# which ports does my instance of Resilio Sync use?
	#netstat -tlpu \| grep rslsync
	# there should be 2 entries, the web interface (default: 8888) and

	# get Sync version
	#sync_version=$(rslsync --help \| head -2 \| tail -1)