Merge pull request #1407 from RunOnFlux/development

v5.28.0

ZelBack/src/lib/socketServer.js

@@ -4,7 +4,29 @@ const WebSocketServer = require('ws').Server;
 class FluxWebsocketServer {
   static defautlErrorHandler = () => { };
 
-  #socketServer = new WebSocketServer({ noServer: true });
+  #socketServer = new WebSocketServer({
+    noServer: true,
+    perMessageDeflate: {
+      zlibDeflateOptions: {
+      // See zlib defaults.
+        chunkSize: 1024,
+        memLevel: 8,
+        level: 3,
+      },
+      zlibInflateOptions: {
+        chunkSize: 10 * 1024,
+      },
+      // Other options settable:
+      clientNoContextTakeover: true, // Defaults to negotiated value.
+      serverNoContextTakeover: true, // Defaults to negotiated value.
+      serverMaxWindowBits: 15, // Defaults to negotiated value.
+      clientMaxWindowBits: 15, // Defaults to negotiated value.
+      // Below options specified as default values.
+      concurrencyLimit: 2, // Limits zlib concurrency for perf.
+      threshold: 128, // Size (in bytes) below which messages
+    // should not be compressed if context takeover is disabled.
+    },
+  });
 
   #routes = {};
 

ZelBack/src/services/appsService.js

@@ -2040,6 +2040,8 @@ async function createAppVolume(appSpecifications, appName, isComponent, res) {
     }
     const execPERM = `sudo chmod 777 ${appsFolder + appId}`;
     await cmdAsync(execPERM);
+    const execPERMdata = `sudo chmod 777 ${appsFolder + appId}/appdata`;
+    await cmdAsync(execPERMdata);
     const permissionsDirectory2 = {
       status: 'Permissions adjusted',
     };

ZelBack/src/services/fluxCommunication.js

@@ -677,8 +677,30 @@ async function initiateAndHandleConnection(connection) {
       }
       myPort = myIP.split(':')[1] || 16127;
     }
+    const options = {
+      perMessageDeflate: {
+        zlibDeflateOptions: {
+        // See zlib defaults.
+          chunkSize: 1024,
+          memLevel: 8,
+          level: 3,
+        },
+        zlibInflateOptions: {
+          chunkSize: 10 * 1024,
+        },
+        // Other options settable:
+        clientNoContextTakeover: true, // Defaults to negotiated value.
+        serverNoContextTakeover: true, // Defaults to negotiated value.
+        serverMaxWindowBits: 15, // Defaults to negotiated value.
+        clientMaxWindowBits: 15, // Defaults to negotiated value.
+        // Below options specified as default values.
+        concurrencyLimit: 2, // Limits zlib concurrency for perf.
+        threshold: 128, // Size (in bytes) below which messages
+      // should not be compressed if context takeover is disabled.
+      },
+    };
     const wsuri = `ws://${ip}:${port}/ws/flux/${myPort}`;
-    const websocket = new WebSocket(wsuri);
+    const websocket = new WebSocket(wsuri, options);
     websocket.port = port;
     websocket.ip = ip;
     websocket.onopen = () => {

ZelBack/src/services/fluxNetworkHelper.js

@@ -1297,6 +1297,36 @@ async function adjustFirewall() {
     ports = ports.concat(fluxCommunicationPorts);
     const firewallActive = await isFirewallActive();
     if (firewallActive) {
+      // set default allow outgoing
+      const execAllowA = 'LANG="en_US.UTF-8" && sudo ufw default allow outgoing';
+      await cmdAsync(execAllowA);
+      // allow speedtests
+      const execAllowB = 'LANG="en_US.UTF-8" && sudo ufw insert 1 allow out 5060';
+      const execAllowC = 'LANG="en_US.UTF-8" && sudo ufw insert 1 allow out 8080';
+      await cmdAsync(execAllowB);
+      await cmdAsync(execAllowC);
+      // allow incoming and outgoing DNS traffic
+      const execAllowD = 'LANG="en_US.UTF-8" && sudo ufw insert 1 allow in proto udp to any port 53';
+      const execAllowE = 'LANG="en_US.UTF-8" && sudo ufw insert 1 allow out proto udp to any port 53';
+      const execAllowF = 'LANG="en_US.UTF-8" && sudo ufw insert 1 allow out proto tcp to any port 53';
+      await cmdAsync(execAllowD);
+      await cmdAsync(execAllowE);
+      await cmdAsync(execAllowF);
+      log.info('Firewall adjusted for DNS traffic');
+
+      const commandGetRouterIP = 'ip rout | head -n1 | awk \'{print $3}\'';
+      let routerIP = await cmdAsync(commandGetRouterIP);
+      routerIP = routerIP.replace(/(\r\n|\n|\r)/gm, '');
+      log.info(`Router IP: ${routerIP}`);
+      if (serviceHelper.validIpv4Address(routerIP)
+        && (routerIP.startsWith('192.168.') || routerIP.startsWith('10.') || routerIP.startsWith('172.16.')
+       || routerIP.startsWith('100.64.') || routerIP.startsWith('198.18.') || routerIP.startsWith('169.254.'))) {
+        const execRouterAllowA = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow out from any to ${routerIP} proto tcp > /dev/null 2>&1`;
+        const execRouterAllowB = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow from ${routerIP} to any proto udp > /dev/null 2>&1`;
+        await cmdAsync(execRouterAllowA);
+        await cmdAsync(execRouterAllowB);
+        log.info(`Firewall adjusted for comms with router on local ip ${routerIP}`);
+      }
       // eslint-disable-next-line no-restricted-syntax
       for (const port of ports) {
         const execB = `LANG="en_US.UTF-8" && sudo ufw allow ${port}`;
@@ -1334,16 +1364,24 @@ async function adjustFirewallToNotAllowNetscans() {
     const cmdAsync = util.promisify(nodecmd.get);
     const firewallActive = await isFirewallActive();
     if (firewallActive) {
+      const execDelDenyA = 'LANG="en_US.UTF-8" && sudo ufw delete deny out from any to 10.0.0.0/8';
+      const execDelDenyB = 'LANG="en_US.UTF-8" && sudo ufw delete deny out from any to 172.16.0.0/12';
+      const execDelDenyC = 'LANG="en_US.UTF-8" && sudo ufw delete deny out from any to 192.168.0.0/16';
+      const execDelDenyD = 'LANG="en_US.UTF-8" && sudo ufw delete deny out from any to 100.64.0.0/10';
+      const execDelDenyE = 'LANG="en_US.UTF-8" && sudo ufw delete deny out from any to 198.18.0.0/15';
+      const execDelDenyF = 'LANG="en_US.UTF-8" && sudo ufw delete deny out from any to 169.254.0.0/16';
       const execDenyA = 'LANG="en_US.UTF-8" && sudo ufw deny out from any to 10.0.0.0/8';
       const execDenyB = 'LANG="en_US.UTF-8" && sudo ufw deny out from any to 172.16.0.0/12';
       const execDenyC = 'LANG="en_US.UTF-8" && sudo ufw deny out from any to 192.168.0.0/16';
       const execDenyD = 'LANG="en_US.UTF-8" && sudo ufw deny out from any to 100.64.0.0/10';
       const execDenyE = 'LANG="en_US.UTF-8" && sudo ufw deny out from any to 198.18.0.0/15';
       const execDenyF = 'LANG="en_US.UTF-8" && sudo ufw deny out from any to 169.254.0.0/16';
-      const execAllowA = 'LANG="en_US.UTF-8" && sudo ufw allow from 192.168.0.0/16 to any port 1900 proto udp';
-      const execAllowB = 'LANG="en_US.UTF-8" && sudo ufw allow from 192.168.0.0/16 to any port 2869 proto tcp';
-      await cmdAsync(execAllowA);
-      await cmdAsync(execAllowB);
+      await cmdAsync(execDelDenyA);
+      await cmdAsync(execDelDenyB);
+      await cmdAsync(execDelDenyC);
+      await cmdAsync(execDelDenyD);
+      await cmdAsync(execDelDenyE);
+      await cmdAsync(execDelDenyF);
       await cmdAsync(execDenyA);
       await cmdAsync(execDenyB);
       await cmdAsync(execDenyC);

ZelBack/src/services/serviceManager.js

@@ -31,8 +31,6 @@ async function startFluxFunctions() {
       log.error(`Flux port ${apiPort} is not supported. Shutting down.`);
       process.exit();
     }
-    fluxNetworkHelper.adjustFirewallToNotAllowNetscans();
-    log.info('Firewalls Netscans checked');
     // User configured UPnP node with routerIP, UPnP has already been verified and setup
     if (userconfig.initial.routerIP) {
       setInterval(() => {
@@ -82,6 +80,8 @@ async function startFluxFunctions() {
     await databaseTemp.collection(config.database.appsglobal.collections.appsLocations).createIndex({ broadcastedAt: 1 }, { expireAfterSeconds: 7500 });
     log.info('Flux Apps locations prepared');
     fluxNetworkHelper.adjustFirewall();
+    fluxNetworkHelper.adjustFirewallToNotAllowNetscans();
+    log.info('Firewalls Netscans checked');
     log.info('Firewalls checked');
     fluxNetworkHelper.allowNodeToBindPrivilegedPorts();
     log.info('Node allowed to bind privileged ports');

ZelBack/src/services/upnpService.js

@@ -52,10 +52,35 @@ async function adjustFirewallForUPNP() {
       const cmdAsync = util.promisify(nodecmd.get);
       const firewallActive = await isFirewallActive();
       if (firewallActive) {
-        const execA = 'LANG="en_US.UTF-8" && sudo ufw allow out from any to 239.255.255.250 port 1900 proto udp > /dev/null 2>&1';
-        const execB = `LANG="en_US.UTF-8" && sudo ufw allow from ${routerIP} port 1900 to any proto udp > /dev/null 2>&1`;
-        const execC = `LANG="en_US.UTF-8" && sudo ufw allow out from any to ${routerIP} proto tcp > /dev/null 2>&1`;
-        const execD = `LANG="en_US.UTF-8" && sudo ufw allow from ${routerIP} to any proto udp > /dev/null 2>&1`;
+        // standard rules for upnp
+        const execA = 'LANG="en_US.UTF-8" && sudo ufw insert 1 allow out from any to 239.255.255.250 port 1900 proto udp > /dev/null 2>&1';
+        const execB = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow from ${routerIP} port 1900 to any proto udp > /dev/null 2>&1`;
+        const execC = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow out from any to ${routerIP} proto tcp > /dev/null 2>&1`;
+        const execD = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow from ${routerIP} to any proto udp > /dev/null 2>&1`;
+        await cmdAsync(execA);
+        await cmdAsync(execB);
+        await cmdAsync(execC);
+        await cmdAsync(execD);
+
+        const fluxCommunicationPorts = config.server.allowedPorts;
+        // eslint-disable-next-line no-restricted-syntax
+        for (const port of fluxCommunicationPorts) {
+          // create rule for hone nodes ws connections
+          const execAllowHomeComsA = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow in proto tcp from any to ${routerIP} port ${port} > /dev/null 2>&1`;
+          const execAllowHomeComsB = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow out proto tcp to ${routerIP} port ${port} > /dev/null 2>&1`;
+          const execAllowHomeComsC = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow in proto udp from any to ${routerIP} port ${port} > /dev/null 2>&1`;
+          const execAllowHomeComsD = `LANG="en_US.UTF-8" && sudo ufw insert 1 allow out proto udp to ${routerIP} port ${port} > /dev/null 2>&1`;
+          // eslint-disable-next-line no-await-in-loop
+          await cmdAsync(execAllowHomeComsA);
+          // eslint-disable-next-line no-await-in-loop
+          await cmdAsync(execAllowHomeComsB);
+          // eslint-disable-next-line no-await-in-loop
+          await cmdAsync(execAllowHomeComsC);
+          // eslint-disable-next-line no-await-in-loop
+          await cmdAsync(execAllowHomeComsD);
+          log.info(`Firewall adjusted for UPNP local connections on port ${port}`);
+        }
+        // delete and recreate deny rule at end
         let routerIpNetwork = `${routerIP.split('.')[0]}.${routerIP.split('.')[1]}.0.0`;
         if (routerIpNetwork === '10.0.0.0') {
           routerIpNetwork += '/8';
@@ -72,10 +97,6 @@ async function adjustFirewallForUPNP() {
         }
         const execDelete = `LANG="en_US.UTF-8" && sudo ufw delete deny out from any to ${routerIpNetwork}`;
         const execDeny = `LANG="en_US.UTF-8" && sudo ufw deny out from any to ${routerIpNetwork}`;
-        await cmdAsync(execA);
-        await cmdAsync(execB);
-        await cmdAsync(execC);
-        await cmdAsync(execD);
         await cmdAsync(execDelete);
         await cmdAsync(execDeny);
         log.info('Firewall adjusted for UPNP');

package.json

@@ -1,6 +1,6 @@
 {
   "name": "flux",
-  "version": "5.27.1",
+  "version": "5.28.0",
   "description": "Flux, Your Gateway to a Decentralized World",
   "repository": {
     "type": "git",