ensure CSF Firewall ready for HTTP/3 UDP in 130.00beta01

- Nginx HTTP/3 over QUIC uses UDP connections not TCP so ensure UDP port 443 for IPv4/IPv6 is open for CSF Firewall when user chooses a Nginx configuration which enables HTTP/3 over QUIC/UDP at centmin.sh menu option 4 compilation time
centminmod · Nov 2, 2022 · 5f2ef55 · 5f2ef55
1 parent 6e75b75
commit 5f2ef55
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/centmin-cli.sh b/centmin-cli.sh
@@ -29,7 +29,7 @@ DT=$(date +"%d%m%y-%H%M%S")
 branchname='130.00beta01'
 SCRIPT_MAJORVER='130'
 SCRIPT_MINORVER='00'
-SCRIPT_INCREMENTVER='242'
+SCRIPT_INCREMENTVER='243'
 SCRIPT_VERSIONSHORT="${branchname}"
 SCRIPT_VERSION="${SCRIPT_VERSIONSHORT}.b${SCRIPT_INCREMENTVER}"
 SCRIPT_DATE='01/11/22'

diff --git a/centmin.sh b/centmin.sh
@@ -29,7 +29,7 @@ DT=$(date +"%d%m%y-%H%M%S")
 branchname='130.00beta01'
 SCRIPT_MAJORVER='130'
 SCRIPT_MINORVER='00'
-SCRIPT_INCREMENTVER='242'
+SCRIPT_INCREMENTVER='243'
 SCRIPT_VERSIONSHORT="${branchname}"
 SCRIPT_VERSION="${SCRIPT_VERSIONSHORT}.b${SCRIPT_INCREMENTVER}"
 SCRIPT_DATE='01/11/22'

diff --git a/inc/csfinstall.inc b/inc/csfinstall.inc
@@ -185,6 +185,38 @@ sed -i "s/UDP_IN = \"/UDP_IN = \"67,68,111,2049,1110,33434:33534,/g" /etc/csf/cs
 sed -i "s/UDP_OUT = \"/UDP_OUT = \"67,68,111,2049,1110,33434:33534,443/g" /etc/csf/csf.conf
 sed -i "s/DROP_NOLOG = \"67,68,/DROP_NOLOG = \"/g" /etc/csf/csf.conf
 
+# ensure HTTP/3 UDP port 443 is open
+if [[ "$NGINX_QUIC_SUPPORT" = [yY] ]]; then
+  if [[ ! "$(grep 'UDP_IN =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp_in
+    # csf --profile list
+    sed -i "s/UDP_IN = \"/UDP_IN = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP_IN =' /etc/csf/csf.conf | grep -o '443'
+    # csf -ra >/dev/null 2>&1
+  fi
+  if [[ ! "$(grep 'UDP_OUT =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp_out
+    # csf --profile list
+    sed -i "s/UDP_OUT = \"/UDP_OUT = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP_OUT =' /etc/csf/csf.conf | grep -o '443'
+    # csf -ra >/dev/null 2>&1
+  fi
+  if [[ ! "$(grep 'UDP6_IN =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp6_in
+    # csf --profile list
+    sed -i "s/UDP6_IN = \"/UDP6_IN = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP6_IN =' /etc/csf/csf.conf | grep -o '443'
+    # csf -ra >/dev/null 2>&1
+  fi
+  if [[ ! "$(grep 'UDP6_OUT =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp6_out
+    # csf --profile list
+    sed -i "s/UDP6_OUT = \"/UDP6_OUT = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP6_OUT =' /etc/csf/csf.conf | grep -o '443'
+    # csf -ra >/dev/null 2>&1
+  fi
+fi
+
     egrep '^UDP_|^TCP_|^DROP_NOLOG' /etc/csf/csf.conf
 
     echo "Disabling CSF Testing mode (activates firewall)..."

diff --git a/inc/nginx_configure.inc b/inc/nginx_configure.inc
@@ -214,6 +214,38 @@ if [ -f "${CM_INSTALLDIR}/inc/z_custom.inc" ]; then
     source "${CM_INSTALLDIR}/inc/z_custom.inc"
 fi
 
+# ensure HTTP/3 UDP port 443 is open
+if [[ "$ngver" = 'quic' || "$NGINX_QUIC_SUPPORT" = [yY] ]]; then
+  if [[ ! "$(grep 'UDP_IN =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp_in
+    # csf --profile list
+    sed -i "s/UDP_IN = \"/UDP_IN = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP_IN =' /etc/csf/csf.conf | grep -o '443'
+    csf -ra >/dev/null 2>&1
+  fi
+  if [[ ! "$(grep 'UDP_OUT =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp_out
+    # csf --profile list
+    sed -i "s/UDP_OUT = \"/UDP_OUT = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP_OUT =' /etc/csf/csf.conf | grep -o '443'
+    csf -ra >/dev/null 2>&1
+  fi
+  if [[ ! "$(grep 'UDP6_IN =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp6_in
+    # csf --profile list
+    sed -i "s/UDP6_IN = \"/UDP6_IN = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP6_IN =' /etc/csf/csf.conf | grep -o '443'
+    csf -ra >/dev/null 2>&1
+  fi
+  if [[ ! "$(grep 'UDP6_OUT =' /etc/csf/csf.conf | grep -o '443')" ]]; then
+    csf --profile backup http3_udp6_out
+    # csf --profile list
+    sed -i "s/UDP6_OUT = \"/UDP6_OUT = \"443,/g" /etc/csf/csf.conf
+    grep 'UDP6_OUT =' /etc/csf/csf.conf | grep -o '443'
+    csf -ra >/dev/null 2>&1
+  fi
+fi
+
 if [ -f "${CONFIGSCANBASE}/custom_config.inc" ]; then
   OPENSSL_VERSION_CUSTOMCONFIG=$(awk -F "'" '/^OPENSSL_VERSION=/ {print $2}' "${CONFIGSCANBASE}/custom_config.inc")
   if [[ "${OPENSSL_VERSION}" = '1.1.0j' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0j' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0i' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0h' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0g' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0f' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0e' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0d' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0c' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0b' || "$OPENSSL_VERSION_CUSTOMCONFIG" = '1.1.0a' ]]; then
@@ -277,6 +309,7 @@ else
   echo
   echo "NGINX_KTLS_OPT=$NGINX_KTLS_OPT"
 fi
+
 # openssl 1.1.1 quictls fork for nginx-quic HTTP/3 builds
 if [[ "$ngver" = 'quic' || "$NGINX_QUIC_SUPPORT" = [yY] ]] && [[ "$LIBRESSL_SWITCH" = [nN] && "$BORINGSSL_SWITCH" = [nN] ]]; then
   if [[ "$NGINX_QUIC_RPMS" = [yY] && ! -f /opt/el-compat-quic/bin/openssl && "$CENTOS_SEVEN" -eq '7' ]]; then