feat(firewalld): configuration to open unprivileged ports by default

build_scripts/20-packages.sh

@@ -11,6 +11,7 @@ dnf -y install \
 	buildah \
 	distrobox \
 	fastfetch \
+	firewalld \
 	fpaste \
 	fzf \
 	gnome-disk-utility \

build_scripts/40-services.sh

@@ -11,6 +11,7 @@ sed -i 's/#HandleLidSwitchExternalPower=.*/HandleLidSwitchExternalPower=suspend-
 sed -i 's/#SleepOperation=.*/SleepOperation=suspend-then-hibernate/g' /usr/lib/systemd/logind.conf
 systemctl enable brew-setup.service
 systemctl enable gdm.service
+systemctl enable firewalld.service
 systemctl enable fwupd.service
 systemctl --global enable podman-auto-update.timer
 systemctl enable ublue-countme.timer

system_files/etc/firewalld/firewalld.conf

@@ -0,0 +1,78 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=Workstation
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+#MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+#CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+#Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+#IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+#IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+#LogDenied=off
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services. This setting can be overridden per zone using the
+# AutomaticHelpers zone setting. For more information on helpers and their
+# configuration, please have a look at the respective documentation.
+# Default: system
+#AutomaticHelpers=system
+
+# FirewallBackend
+# Selects the firewall backend implementation.
+# Choices are:
+#	- nftables (default)
+#	- iptables (iptables, ip6tables, ebtables and ipset)
+# Default: nftables
+#FirewallBackend=nftables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+#FlushAllOnReload=yes
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 over IPv4 tunnels (6to4).
+# This means we also filter protocol 41 and isatap.
+# Default: yes
+#RFC3964_IPv4=yes

system_files/usr/lib/firewalld/zones/Workstation.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Workstation</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1023, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="dhcpv6-client"/>
+  <service name="ssh"/>
+  <service name="samba-client"/>
+  <port protocol="udp" port="1024-65535"/>
+  <port protocol="tcp" port="1024-65535"/>
+</zone>