#!/bin/bash
echo
echo "*** Configuring firewall ***"
echo

# redirect FTPS to FTP
firewall-cmd --permanent --add-forward-port=port=990:proto=tcp:toport=21

# SSH, HTTP, HTTPS, and Webmin/Custom
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-port={80/tcp,443/tcp,10000/tcp}

# Jitsi Videobridge
firewall-cmd --permanent --add-port=4443/tcp

# FTP & FTPS (TCP & UDP)
firewall-cmd --permanent --add-port={21/tcp,20/tcp,990/tcp,21/udp,20/udp,990/udp}

# TFTP & IDENT (auth)
firewall-cmd --permanent --add-port={69/tcp,69/udp,113/tcp}

# VoIP (SIP, RTP, UDPTL)
firewall-cmd --permanent --add-port={5060/udp,5060/tcp}
firewall-cmd --permanent --add-port=10000-20000/udp
firewall-cmd --permanent --add-port=4000-4999/udp

# Unprivileged High Ports
firewall-cmd --permanent --add-port=49152-65534/tcp

# DNS Response traffic (High ports from source 53)
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source-port port="53" protocol="udp" accept'

# NFS, X11, Font Server, MySQL, and AMI
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="2049-2050" protocol="tcp" drop'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="6000-6063" protocol="tcp" drop'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="7000-7010" protocol="tcp" drop'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="3306" protocol="tcp" drop'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="5038" protocol="tcp" drop'

firewall-cmd --permanent --add-icmp-block-inversion
firewall-cmd --permanent --remove-icmp-block={echo-reply,destination-unreachable,source-quench,time-exceeded,parameter-problem}

# DROP by default
firewall-cmd --permanent --zone=public --set-target=DROP

# apply changes
firewall-cmd --reload

