Hello pjv,
by setting automatically the minimal rules for WordOps with UFW, we make sure there are no servers running WordOps without a firewall. In my opinion, every server with a public IP should be configured with a firewall, but the most part of people will not configure it themself, so it's seems smarter to me to perform this configuration by default, and to allow advanced users to skip this step.
Here the UFW configuration function :
# get custom ssh port
if [ -f /etc/ssh/sshd_config ]; then
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
fi
# define firewall rules
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
ufw logging low
fi
if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
ufw default allow outgoing
fi
if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
ufw default deny incoming
fi
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
# default ssh port
ufw limit 22
fi
# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ]; then
if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
ufw limit "$CURRENT_SSH_PORT"
fi
fi
# nginx
if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
# http
ufw allow http
fi
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
# https
ufw allow https
fi
# ntp
if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
ufw allow 123
fi
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
# wordops backend
ufw limit 22222
fi
# enable ufw
if [ -n "$CURRENT_SSH_PORT" ]; then
if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then
ufw --force enable
else
ufw reload
fi
fi
# remove ufw from syslog
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
service rsyslog restart
fi