#!/bin/bash

# Ensure the script is run with root/sudo privileges
if [ "$EUID" -ne 0 ]; then
  echo "Please run this script using sudo or as root."
  exit 1
fi

echo "Setting up UFW rules for UniFi Network Server..."

# Define your comment variable
COMMENT_TXT="txt here"

# -------------------------------------------------------------------
# Remote Management Ports
# -------------------------------------------------------------------
# Port 53: DNS lookups for remote access, updates, and Guest Portal redirection
ufw allow proto tcp to any port 53 comment "DNS Lookup"
ufw allow proto udp to any port 53 comment "DNS Lookup"

# Port 123: NTP (time sync) - Egress / Outbound (Usually allowed by default, adding just in case)
ufw allow out proto udp to any port 123 comment "NTP"

# Port 3478: STUN for remote access / device adoption
ufw allow proto udp to any port 3478 comment "STUN"

# Port 443: Remote Access service, application GUI/API access
ufw allow proto tcp to any port 443 comment "GUI/API access"
ufw allow proto udp to any port 443 comment "GUI/API access"

# Port 8883: Remote Access service (Outbound MQTT)
ufw allow out proto tcp to any port 8883 comment "Outbound MQTT"

# Port 5349: Remote access support (Ingress)
ufw allow proto tcp to any port 5349 comment "Remote access support"


# -------------------------------------------------------------------
# UniFi Network Core Ports
# -------------------------------------------------------------------
# Port 5671: Traffic Flow logging for UXGs
ufw allow proto tcp to any port 5671 comment "Traffic Flow logging"

# Port 8080: Device and application communication (Essential Inform Port)
ufw allow proto tcp to any port 8080 comment "Inform Port"

# Port 8443: Application GUI/API (On self-hosted UniFi Consoles)
ufw allow proto tcp to any port 8443 comment "Application GUI/API"

# Ports 8880 – 8882: Hotspot portal redirection (HTTP)
ufw allow proto tcp to any port 8880:8882 comment "Hotspot http portal redirection"

# Port 8843: Hotspot portal redirection (HTTPS)
ufw allow proto tcp to any port 8843 comment "Hotspot https portal redirection"

# Port 8444: Secure Portal for Hotspot
ufw allow proto tcp to any port 8444 comment "Secure Portal for Hotspot"

# Port 6789: UniFi mobile speed test
ufw allow proto tcp to any port 6789 comment "UniFi mobile speed"

# Port 27117: Local database communication (Typically internal, but documented)
ufw allow proto tcp to any port 27117 comment "Local database communication"

# Port 10001: Device discovery during adoption
ufw allow proto udp to any port 10001 comment "Device discovery during adoption"

# Port 10101: Client fingerprinting information
ufw allow proto udp to any port 10101 comment "Client fingerprinting information"

# Port 1900: L2 discovery ("Make application discoverable on L2 network")
ufw allow proto udp to any port 1900 comment "L2 discovery"

# Port 5514: Remote syslog capture
ufw allow proto udp to any port 5514 comment "Remote syslog capture"

# Port 22: SSH access (Used for manual management / device debugging)
ufw allow proto tcp to any port 22 comment "SSH access"
ufw allow proto udp to any port 22 comment "SSH access"


# -------------------------------------------------------------------
# Finalize Configuration
# -------------------------------------------------------------------
# Enable UFW if it isn't already running
echo "Enabling UFW..."
ufw --force enable

# Reload to apply adjustments safely
ufw reload

echo "All UniFi Network firewall rules successfully loaded with the comment '$COMMENT_TXT'!"
echo "Current UFW Status:"
ufw status verbose