[Security] Change port HESTIA chain when changing port via UI / CLI (hestiacp#2465)

jaapmarcus · ScIT-Raphael · web-flow · commit 91081b0eeeb6 · 2022-03-13T21:39:26.000+01:00
* HESTIA chain config on port change

* Update upgrade script

* Use v-update-firewall instead of restart

Co-authored-by: Raphael &lt;rs@scit.ch&gt;
diff --git a/bin/v-change-sys-port b/bin/v-change-sys-port
@@ -73,6 +73,11 @@ else
     fi
     sed -i "/COMMENT='HESTIA'/c\RULE='2' ACTION='ACCEPT' PROTOCOL='TCP' PORT='$PORT' IP='0.0.0.0/0' COMMENT='HESTIA' SUSPENDED='no' TIME='07:40:16' DATE='2014-05-25'" $HESTIA/data/firewall/rules.conf
     
+    # Update F2B chains config
+    if [ -f "$HESTIA/data/firewall/chains.conf" ]; then
+        sed -i "s/PORT='$ORIGINAL_PORT'/PORT='$PORT'/g" $HESTIA/data/firewall/chains.conf
+    fi
+    
     # Restart services
     if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != no ]; then
         $HESTIA/bin/v-restart-service iptables
diff --git a/install/upgrade/versions/1.5.10.sh b/install/upgrade/versions/1.5.10.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Hestia Control Panel upgrade script for target version 1.5.9
+# Hestia Control Panel upgrade script for target version 1.5.10
 
 #######################################################################################
 #######                      Place additional commands below.                   #######
diff --git a/install/upgrade/versions/1.5.11.sh b/install/upgrade/versions/1.5.11.sh
@@ -15,8 +15,30 @@
 ####### You can use \n within the string to create new lines.                   #######
 #######################################################################################
 
-# Fix Roundcube logdir permission
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
+
+PORT=$(cat $HESTIA/nginx/conf/nginx.conf | grep "listen" | sed 's/[^0-9]*//g')
 
+if [ "$PORT" != "8083" ]; then 
+    # Update F2B chains config
+    if [ -f "$HESTIA/data/firewall/chains.conf" ]; then
+        # Update value in chains.conf
+        sed -i "s/PORT='8083'/PORT='$PORT'/g" $HESTIA/data/firewall/chains.conf
+    fi
+    
+    # Restart services
+    if [ -n "$FIREWALL_SYSTEM" ] && [ "$FIREWALL_SYSTEM" != no ]; then
+        $HESTIA/bin/v-stop-firewall
+        $HESTIA/bin/v-update-firewall
+                
+    fi
+fi
+
+# Fix Roundcube logdir permission
 if [ -d "/var/log/roundcube" ]; then
     chown www-data:www-data /var/log/roundcube
 fi
