From 5c42f3583928f4d609c4e2e6bbafee398745c332 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@hey.com>
Date: Wed, 16 Jul 2025 16:46:35 -0700
Subject: [PATCH 1/3] Install and enable ufw firewall by default

Gotta be safe out there!
---
 install/firewall.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 install/firewall.sh

diff --git a/install/firewall.sh b/install/firewall.sh
new file mode 100644
index 0000000..d8a92ab
--- /dev/null
+++ b/install/firewall.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if ! command -v ufw &>/dev/null; then
+  yay -Sy --noconfirm --needed ufw ufw-docker
+
+  # Allow nothing in, everything out
+  sudo ufw default deny incoming
+  sudo ufw default allow outgoing
+
+  # Allow ports for LocalSend
+  sudo ufw allow 53317/udp
+  sudo ufw allow 53317/tcp
+
+  # Allow SSH in
+  sudo ufw allow 22/tcp
+
+  # Allow Docker containers to use DNS on host
+  sudo ufw allow in on docker0 to any port 53
+
+  # Turn on the firewall
+  sudo ufw enable
+  sudo ufw reload
+fi

From b1c5b420bc5be90c45f0ed34f3e4526c928cdce2 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@hey.com>
Date: Wed, 16 Jul 2025 16:47:36 -0700
Subject: [PATCH 2/3] Add migration to enable firewall

---
 migrations/1752709610.sh | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 migrations/1752709610.sh

diff --git a/migrations/1752709610.sh b/migrations/1752709610.sh
new file mode 100644
index 0000000..e220d58
--- /dev/null
+++ b/migrations/1752709610.sh
@@ -0,0 +1,2 @@
+echo "Enable ufw firewall"
+source ~/.local/share/omarchy/install/firewall.sh

From a735337a59b676b5ff094b9b5cc46701705d2b4f Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@hey.com>
Date: Wed, 16 Jul 2025 16:56:40 -0700
Subject: [PATCH 3/3] Turn on ufw-docker

---
 install/firewall.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/install/firewall.sh b/install/firewall.sh
index d8a92ab..f12fe8f 100644
--- a/install/firewall.sh
+++ b/install/firewall.sh
@@ -19,5 +19,8 @@ if ! command -v ufw &>/dev/null; then
 
   # Turn on the firewall
   sudo ufw enable
+
+  # Turn on Docker protections
+  sudo ufw-docker install
   sudo ufw reload
 fi