So many apps do a "yunohost firewall allow" to expose a port ... where I'm pretty sure most of them don't need this and this make the service vulnerable to attacks...

[alexAubin]

grep -nr "^\w.*firewall allow" ./all_install_scripts :

./torclient:91:sudo yunohost firewall allow --no-upnp UDP 9053
./torclient:92:sudo yunohost firewall allow --no-upnp TCP 9040
./armadietto:68:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./diaspora:72:yunohost firewall allow --no-upnp TCP $port 2>&1
./transmission:57:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./transmission:63:ynh_exec_warn_less yunohost firewall allow Both $peer_port
./minidlna:56:ynh_exec_fully_quiet yunohost firewall allow --no-upnp TCP $port
./minidlna:58:ynh_exec_fully_quiet yunohost firewall allow --no-upnp UDP 1900
./mediadrop:81:yunohost firewall allow --no-upnp TCP $port 2>&1
./lstu:60:yunohost firewall allow --no-upnp TCP $port 2>&1
./squid3:45:yunohost firewall allow --no-upnp TCP $port 2>&1
./cowyo:63:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./lufi:64:yunohost firewall allow --no-upnp TCP $port 2>&1
./mumbleserver:65:yunohost firewall allow Both "$port"
./duniter:45:yunohost firewall allow TCP $port > /dev/null 2>&1
./ftp_support_webapp:57:ALL_QUIET sudo yunohost firewall allow TCP $port
./caliopen:85:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./nodered:74:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./democracyos:58:yunohost firewall allow --no-upnp TCP $port 2>&1
./thelounge:74:yunohost firewall allow --no-upnp TCP $port 2>&1
./homeassistant:38:ynh_exec_fully_quiet yunohost firewall allow TCP $port
./shadowsocks:71:ynh_exec_warn_less yunohost firewall allow --no-upnp Both $port
./piratebox:158:sudo yunohost firewall allow --no-upnp UDP 4253
./piratebox:159:sudo yunohost firewall allow --no-upnp TCP 4280
./domoticz:85:yunohost firewall allow --no-upnp TCP $port 2>&1
./movim:78:yunohost firewall allow --no-upnp TCP "$port" 2>&1
./jitsi:73:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./jitsi:79:ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $port_videobridge
./jitsi:85:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port_component
./osjs:60:yunohost firewall allow --no-upnp TCP $port 2>&1
./streama:81:yunohost firewall allow --no-upnp TCP $port 2>&1
./shinken:96:yunohost firewall allow --no-upnp TCP $port 2>&1
./codimd:69:yunohost firewall allow --no-upnp TCP $port 2>&1
./minetest:45:ALL_QUIET yunohost firewall allow UDP $port
./minetest:46:ALL_QUIET yunohost firewall allow TCP $port
./rutorrent:125:sudo yunohost firewall allow TCP 45069 > /dev/null 2>&1
./hotspot:122:ynh_exec_warn_less yunohost firewall allow --no-upnp --ipv6 UDP 547
./hotspot:123:ynh_exec_warn_less yunohost firewall allow --no-upnp UDP 67
./torrelay:43:sudo yunohost firewall allow Both $port > /dev/null 2>&1
./torrelay:44:sudo yunohost firewall allow --ipv6 Both $port > /dev/null 2>&1
./synapse:78:yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1
./synapse:79:yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1
./synapse:80:yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
./tes3mp:85:yunohost firewall allow --no-upnp TCP $port 2>&1
./tes3mp:86:yunohost firewall allow --no-upnp UDP $port 2>&1
./tes3mp:87:yunohost firewall allow --no-upnp TCP 25561 2>&1
./shsd:57:yunohost firewall allow --no-upnp TCP $port 2>&1
./syncthing:69:ynh_exec_warn_less yunohost firewall allow TCP $sync_port
./ethercalc:69:sudo yunohost firewall allow --no-upnp TCP $port 2>&1
./calibreweb:71:yunohost firewall allow --no-upnp TCP $port 2>&1
./blogotext:88:ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $port
./osmw:89:sudo yunohost firewall allow Both 3000
./pihole:79:ynh_exec_fully_quiet yunohost firewall allow --no-upnp TCP $port
./pihole:84:ynh_exec_fully_quiet yunohost firewall allow Both 53 --no-upnp
./pihole:316:ynh_exec_fully_quiet yunohost firewall allow UDP 67 --no-upnp
./fluxbb:58:yunohost firewall allow --no-upnp TCP $port 2>&1
./cryptpad:61:yunohost firewall allow --no-upnp TCP $port 2>&1
./scrumblr:146:sudo yunohost firewall allow Both $port
./adhocserver:42:sudo yunohost firewall allow TCP 27312

Granted that some of them need to indeed expose some ports ... but how many of them ? Why does blogotext needs it for example ? Or even transmission ? (I don't remember having to port forward a port to get it working on my server) ...

[alexAubin]

• Added a check for this in package_linter, which should help ..
• Opened a bunch of pull requests on apps that seem to require this port only for internal use:
  • https://github.com/YunoHost-Apps/blogotext_ynh/pull/13
  • https://github.com/YunoHost-Apps/lstu_ynh/pull/48
  • https://github.com/YunoHost-Apps/nodered_ynh/pull/13
  • https://github.com/tuxmouraille/tvheadend_ynh/pull/6

(at least that's for apps declared as working)

So let's close this for now and be hopeful that the PRs are gonna be merged somewhat soon :|