From 3776b05bedea5d0db282c5bb6c27b37ca2425533 Mon Sep 17 00:00:00 2001
From: Konano <nanoapezlk@gmail.com>
Date: Fri, 29 Aug 2025 17:59:40 +0800
Subject: [PATCH] feat: add UFW configuration support

---
 configure_priv.sh   | 38 ++++++++++++++++++++++++++++++++++++++
 files/iptables-load |  4 ++++
 2 files changed, 42 insertions(+)

diff --git a/configure_priv.sh b/configure_priv.sh
index bac2b6b..bbaca29 100755
--- a/configure_priv.sh
+++ b/configure_priv.sh
@@ -341,6 +341,17 @@ configure_iptables() {
     [ $offline -eq 1 ] && return
     [ "$(uname)" = "Darwin" ] && return
 
+    # 如果 ufw 是 active，就直接返回
+    if command_exists ufw; then
+        if sudo ufw status | grep -q "Status: active"; then
+            echo "检测到 ufw 已启用，跳过 iptables 配置。"
+            return
+        fi
+        if confirm_action "检测到 ufw 已存在，是否直接使用 ufw 进行管理，跳过 iptables" "Y"; then
+            return
+        fi
+    fi
+
     if command_exists ifquery && systemctl is-active --quiet networking; then
         # ifupdown: /etc/network/if-pre-up.d/iptables-load
         [ -f /etc/network/if-pre-up.d/iptables-load ] && return
@@ -370,6 +381,32 @@ configure_iptables() {
     fi
 }
 
+configure_ufw() {
+    [ $offline -eq 1 ] && return
+    [ "$(uname)" = "Darwin" ] && return
+    ! command_exists ufw && return
+
+    if sudo ufw status | grep -q "Status: inactive"; then
+        return
+    fi
+
+    # 如果 ufw 没有被脚本初始化过
+    if ! sudo ufw status verbose | grep -q "Initialized by lazy"; then
+        if confirm_action "要配置 ufw 吗？" "N"; then
+            # 默认拒绝所有入站连接
+            sudo ufw default deny incoming
+            sudo ufw default allow outgoing
+            # 允许常用端口
+            sudo ufw allow ssh comment 'SSH (Initialized by lazy)'
+            sudo ufw allow http
+            sudo ufw allow https
+            sudo ufw allow 2263/tcp comment 'SSH'
+            sudo ufw allow 9443/tcp comment 'gost-proxy'
+            sudo ufw allow 6330/tcp comment 'node-exporter'
+        fi
+    fi
+}
+
 configure_zsh_prefix() {
     [ -f ~/.zsh_user ] || return
 
@@ -595,6 +632,7 @@ configure_tmux
 configure_docker
 configure_fail2ban
 configure_iptables
+configure_ufw
 # configure_hostname
 configure_timedate
 configure_bootinfo
diff --git a/files/iptables-load b/files/iptables-load
index 9c995f2..9e27160 100644
--- a/files/iptables-load
+++ b/files/iptables-load
@@ -48,4 +48,8 @@ iptables -P INPUT DROP
 add_input_tcp_filter 9443 gost-proxy
 add_input_tcp_filter 6330 node-exporter
 
+##########
+# if you use ufw, please execute `sudo ufw allow xxxx/tcp comment 'xxxx'``
+##########
+
 # ====================