diff --git a/AppImage/components/security.tsx b/AppImage/components/security.tsx index 6d692db8..d18a69ee 100644 --- a/AppImage/components/security.tsx +++ b/AppImage/components/security.tsx @@ -9,7 +9,8 @@ import { Shield, Lock, User, AlertCircle, CheckCircle, Info, LogOut, Key, Copy, Eye, EyeOff, Trash2, RefreshCw, Clock, ShieldCheck, Globe, FileKey, AlertTriangle, Flame, Bug, Search, Download, Power, PowerOff, Plus, Minus, Activity, Settings, Ban, - FileText, Printer, Play, BarChart3, TriangleAlert, ChevronDown, + FileText, Printer, Play, BarChart3, TriangleAlert, ChevronDown, ArrowDownLeft, ArrowUpRight, + ChevronRight, Network, Zap, Pencil, Check, X, } from "lucide-react" import { getApiUrl, fetchApi } from "../lib/api-config" import { TwoFactorSetup } from "./two-factor-setup" @@ -88,6 +89,14 @@ export function Security() { }) const [addingRule, setAddingRule] = useState(false) const [deletingRuleIdx, setDeletingRuleIdx] = useState(null) + const [expandedRuleKey, setExpandedRuleKey] = useState(null) + const [editingRuleKey, setEditingRuleKey] = useState(null) + const [editRule, setEditRule] = useState({ + direction: "IN", action: "ACCEPT", protocol: "tcp", + dport: "", sport: "", source: "", iface: "", comment: "", level: "host", + }) + const [savingRule, setSavingRule] = useState(false) + const [networkInterfaces, setNetworkInterfaces] = useState<{name: string, type: string, status: string}[]>([]) // Security Tools state const [toolsLoading, setToolsLoading] = useState(true) @@ -174,6 +183,7 @@ export function Security() { const [proxmoxCertInfo, setProxmoxCertInfo] = useState<{subject?: string; expires?: string; issuer?: string; is_self_signed?: boolean} | null>(null) const [loadingSsl, setLoadingSsl] = useState(true) const [configuringSsl, setConfiguringSsl] = useState(false) + const [sslRestarting, setSslRestarting] = useState(false) const [showCustomCertForm, setShowCustomCertForm] = useState(false) const [customCertPath, setCustomCertPath] = useState("") const [customKeyPath, setCustomKeyPath] = useState("") @@ -183,6 +193,7 @@ export function Security() { loadApiTokens() loadSslStatus() loadFirewallStatus() + loadNetworkInterfaces() loadSecurityTools() }, []) @@ -208,6 +219,22 @@ export function Security() { } } + const loadNetworkInterfaces = async () => { + try { + const data = await fetchApi("/api/network") + // The API returns interfaces in separate arrays: physical_interfaces, bridge_interfaces, etc. + // The generic "interfaces" array only holds uncategorized types and is usually empty. + const all = [ + ...(data.physical_interfaces || []), + ...(data.bridge_interfaces || []), + ...(data.interfaces || []), + ].sort((a: any, b: any) => a.name.localeCompare(b.name)) + setNetworkInterfaces(all) + } catch { + // Silently fail - select will just show "Any interface" + } + } + const loadSecurityTools = async () => { try { setToolsLoading(true) @@ -470,6 +497,51 @@ export function Security() { } } + const startEditRule = (rule: any) => { + const ruleKey = `${rule.source_file}-${rule.rule_index}` + const comment = rule.raw?.includes("#") ? rule.raw.split("#").slice(1).join("#").trim() : "" + setEditingRuleKey(ruleKey) + setEditRule({ + direction: rule.direction || "IN", + action: rule.action || "ACCEPT", + protocol: rule.p || "tcp", + dport: rule.dport || "", + sport: "", + source: rule.source || "", + iface: rule.i || "", + comment, + level: rule.source_file || "host", + }) + } + + const handleSaveEditRule = async (oldRuleIndex: number, oldLevel: string) => { + setSavingRule(true) + setError("") + setSuccess("") + try { + const data = await fetchApi("/api/security/firewall/rules/edit", { + method: "PUT", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify({ + rule_index: oldRuleIndex, + level: oldLevel, + new_rule: editRule, + }), + }) + if (data.success) { + setSuccess(data.message || "Rule updated successfully") + setEditingRuleKey(null) + loadFirewallStatus() + } else { + setError(data.message || "Failed to update rule") + } + } catch (err) { + setError(err instanceof Error ? err.message : "Failed to update rule") + } finally { + setSavingRule(false) + } + } + const handleFirewallToggle = async (level: "host" | "cluster", enable: boolean) => { setFirewallAction(true) setError("") @@ -1256,13 +1328,49 @@ ${(report.sections && report.sections.length > 0) ? ` } } + // Wait for the monitor service to come back on the new protocol, then redirect + const waitForServiceAndRedirect = async (newProtocol: "https" | "http") => { + const host = window.location.hostname + const port = window.location.port || "8008" + const newUrl = `${newProtocol}://${host}:${port}${window.location.pathname}` + + // Wait for service to restart (try up to 30 seconds) + const maxAttempts = 15 + for (let i = 0; i < maxAttempts; i++) { + await new Promise(r => setTimeout(r, 2000)) + try { + const controller = new AbortController() + const timeout = setTimeout(() => controller.abort(), 3000) + const resp = await fetch(`${newProtocol}://${host}:${port}/api/ssl/status`, { + signal: controller.signal, + // For self-signed certs, we need to handle rejection + mode: "no-cors" + }).catch(() => null) + clearTimeout(timeout) + + // For HTTPS with self-signed certs, even a failed CORS request means the server is up + if (resp || newProtocol === "https") { + // Give it one more second to fully stabilize + await new Promise(r => setTimeout(r, 1000)) + window.location.href = newUrl + return + } + } catch { + // Server not ready yet, keep waiting + } + } + + // Fallback: redirect anyway after timeout + window.location.href = newUrl + } + const handleEnableSsl = async (source: "proxmox" | "custom", certPath?: string, keyPath?: string) => { setConfiguringSsl(true) setError("") setSuccess("") try { - const body: Record = { source } + const body: Record = { source, auto_restart: true } if (source === "custom" && certPath && keyPath) { body.cert_path = certPath body.key_path = keyPath @@ -1275,25 +1383,27 @@ ${(report.sections && report.sections.length > 0) ? ` }) if (data.success) { - setSuccess(data.message || "SSL configured successfully. Restart the monitor service to apply.") setSslEnabled(true) setSslSource(source) setShowCustomCertForm(false) setCustomCertPath("") setCustomKeyPath("") - loadSslStatus() + setConfiguringSsl(false) + setSslRestarting(true) + setSuccess("SSL enabled. Restarting service and switching to HTTPS...") + await waitForServiceAndRedirect("https") } else { setError(data.message || "Failed to configure SSL") + setConfiguringSsl(false) } } catch (err) { setError(err instanceof Error ? err.message : "Failed to configure SSL") - } finally { setConfiguringSsl(false) } } const handleDisableSsl = async () => { - if (!confirm("Are you sure you want to disable HTTPS? The monitor will revert to HTTP after restart.")) { + if (!confirm("Are you sure you want to disable HTTPS? The monitor will switch to HTTP.")) { return } @@ -1302,21 +1412,27 @@ ${(report.sections && report.sections.length > 0) ? ` setSuccess("") try { - const data = await fetchApi("/api/ssl/disable", { method: "POST" }) + const data = await fetchApi("/api/ssl/disable", { + method: "POST", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify({ auto_restart: true }), + }) if (data.success) { - setSuccess(data.message || "SSL disabled. Restart the monitor service to apply.") setSslEnabled(false) setSslSource("none") setSslCertPath("") setSslKeyPath("") - loadSslStatus() + setConfiguringSsl(false) + setSslRestarting(true) + setSuccess("SSL disabled. Restarting service and switching to HTTP...") + await waitForServiceAndRedirect("http") } else { setError(data.message || "Failed to disable SSL") + setConfiguringSsl(false) } } catch (err) { setError(err instanceof Error ? err.message : "Failed to disable SSL") - } finally { setConfiguringSsl(false) } } @@ -1683,10 +1799,10 @@ ${(report.sections && report.sections.length > 0) ? ` onClick={handleDisableSsl} variant="outline" size="sm" - disabled={configuringSsl} + disabled={configuringSsl || sslRestarting} className="mt-2 text-red-500 border-red-500/30 hover:bg-red-500/10 bg-transparent" > - {configuringSsl ? "Disabling..." : "Disable HTTPS"} + {configuringSsl ? "Disabling..." : sslRestarting ? "Restarting..." : "Disable HTTPS"} )} @@ -1722,7 +1838,7 @@ ${(report.sections && report.sections.length > 0) ? ` @@ -1817,14 +1933,27 @@ ${(report.sections && report.sections.length > 0) ? ` )} - {/* Info note about restart */} -
- -

- Changes to SSL configuration require a monitor service restart to take effect. - The service will automatically use HTTPS on port 8008 when enabled. -

-
+ {/* Restarting overlay or info note */} + {sslRestarting ? ( +
+
+
+

+ Restarting monitor service... +

+

+ The page will automatically redirect to the new address. +

+
+
+ ) : ( +
+ +

+ SSL changes will automatically restart the monitor service and redirect to the new address. +

+
+ )} )} @@ -2283,6 +2412,90 @@ ${(report.sections && report.sections.length > 0) ? ` )}
+ {/* Rules Summary Dashboard */} + {firewallData.rules.length > 0 && (() => { + const acceptCount = firewallData.rules.filter(r => r.action === "ACCEPT").length + const dropCount = firewallData.rules.filter(r => r.action === "DROP").length + const rejectCount = firewallData.rules.filter(r => r.action === "REJECT").length + const blockCount = dropCount + rejectCount + const total = firewallData.rules.length + const clusterCount = firewallData.rules.filter(r => r.source_file === "cluster").length + const hostCount = firewallData.rules.filter(r => r.source_file === "host").length + const inCount = firewallData.rules.filter(r => (r.direction || "IN") === "IN").length + const outCount = firewallData.rules.filter(r => r.direction === "OUT").length + // Collect unique protected ports + const protectedPorts = new Set() + firewallData.rules.forEach(r => { + if (r.dport) r.dport.split(",").forEach(p => protectedPorts.add(p.trim())) + }) + + return ( +
+

Rules Overview

+
+
+

{total}

+

Total Rules

+
+
+

{acceptCount}

+

Accept

+
+
+

{blockCount}

+

Block / Reject

+
+
+

{protectedPorts.size}

+

Ports Covered

+
+
+ {/* Visual bar */} +
+
+
+ {acceptCount > 0 && ( +
+ )} + {dropCount > 0 && ( +
+ )} + {rejectCount > 0 && ( +
+ )} +
+
+ Accept + Drop + Reject +
+
+
+ Accept + Drop + Reject +
+
+ {/* Scope breakdown */} +
+ + Cluster: {clusterCount} + + + Host: {hostCount} + + | + + IN: {inCount} + + + OUT: {outCount} + +
+
+ ) + })()} + {/* Firewall Rules */}
@@ -2308,6 +2521,42 @@ ${(report.sections && report.sections.length > 0) ? `

New Firewall Rule

+ {/* Service Presets */} +
+

Quick Presets

+
+ {[ + { label: "HTTP", port: "80", proto: "tcp", comment: "HTTP Web" }, + { label: "HTTPS", port: "443", proto: "tcp", comment: "HTTPS Web" }, + { label: "SSH", port: "22", proto: "tcp", comment: "SSH Remote Access" }, + { label: "DNS", port: "53", proto: "udp", comment: "DNS" }, + { label: "SMTP", port: "25", proto: "tcp", comment: "SMTP Mail" }, + { label: "NFS", port: "2049", proto: "tcp", comment: "NFS" }, + { label: "SMB", port: "445", proto: "tcp", comment: "SMB/CIFS" }, + { label: "Ping", port: "", proto: "icmp", comment: "ICMP Ping" }, + ].map((preset) => ( + + ))} +
+
+
@@ -2372,12 +2621,18 @@ ${(report.sections && report.sections.length > 0) ? `
- setNewRule({...newRule, iface: e.target.value})} - className="h-9 text-sm" - /> + className="w-full h-9 rounded-md border border-border bg-card px-3 text-sm" + > + + {networkInterfaces.map((iface) => ( + + ))} +
@@ -2432,51 +2687,242 @@ ${(report.sections && report.sections.length > 0) ? ` {firewallData.rules.length > 0 ? (
{/* Table header */} -
- Action - Direction - Proto - Port - Source - Level - +
+ + Action + + Proto + Port + Source + Level +
-
- {firewallData.rules.map((rule, idx) => ( -
- - {rule.action || "?"} - - {rule.direction || "IN"} - {rule.p || "-"} - {rule.dport || "-"} - {rule.source || "any"} - - {rule.source_file} - - + +
+
+ ) : ( + /* ── Read-only Details ── */ + <> +
+
+

Direction

+

+ {direction === "IN" ? : } + {direction === "IN" ? "Incoming" : "Outgoing"} +

+
+
+

Protocol

+

{rule.p || "any"}

+
+
+

Port

+

{rule.dport || "any"}

+
+
+

Source

+

{rule.source || "any"}

+
+ {rule.i && ( +
+

Interface

+

{rule.i}

+
+ )} +
+

Scope

+

+ {rule.source_file === "cluster" ? : } + {rule.source_file === "cluster" ? "Cluster" : "Host"} +

+
+ {comment && ( +
+

Comment

+

{comment}

+
+ )} +
+
+ {rule.raw} +
+ + +
+
+ + )} +
)} - -
- ))} +
+ ) + })}
) : ( diff --git a/AppImage/components/system-logs.tsx b/AppImage/components/system-logs.tsx index ce3f308e..c4cddfd1 100644 --- a/AppImage/components/system-logs.tsx +++ b/AppImage/components/system-logs.tsx @@ -158,21 +158,15 @@ export function SystemLogs() { const fetchSystemLogs = async (): Promise => { try { - let apiUrl = "/api/logs" - const params = new URLSearchParams() - const daysAgo = dateFilter === "custom" ? Number.parseInt(customDays) : Number.parseInt(dateFilter) - // Clamp days to valid range const clampedDays = Math.max(1, Math.min(daysAgo || 1, 90)) - params.append("since_days", clampedDays.toString()) - params.append("limit", "5000") - - if (params.toString()) { - apiUrl += `?${params.toString()}` - } + // Only send since_days - no limit param, so the backend returns ALL logs for the period + const apiUrl = `/api/logs?since_days=${clampedDays}` + console.log(`[v0] Fetching logs for ${clampedDays} days...`) const data = await fetchApi(apiUrl) const logsArray = Array.isArray(data) ? data : data.logs || [] + console.log(`[v0] Logs: parsed=${logsArray.length}, journal_total=${data.journal_total || 'N/A'}, skipped=${data.skipped || 0} for ${clampedDays} day(s)`) return logsArray } catch { setError("Failed to load logs. Please try again.") @@ -550,8 +544,13 @@ export function SystemLogs() { if (loading && logs.length === 0 && events.length === 0) { return ( -
- +
+
+
+
+
+
Loading logs...
+

Fetching system logs and events

) } @@ -559,11 +558,13 @@ export function SystemLogs() { return (
{loading && (logs.length > 0 || events.length > 0) && ( -
-
- -
Loading logs selected...
-
Please wait while we fetch the logs
+
+
+
+
+
+
+
Loading logs...
)} diff --git a/AppImage/components/system-overview.tsx b/AppImage/components/system-overview.tsx index 9d8318bc..d8f6cb5e 100644 --- a/AppImage/components/system-overview.tsx +++ b/AppImage/components/system-overview.tsx @@ -7,10 +7,17 @@ import { Badge } from "./ui/badge" import { Cpu, MemoryStick, Thermometer, Server, Zap, AlertCircle, HardDrive, Network } from "lucide-react" import { NodeMetricsCharts } from "./node-metrics-charts" import { NetworkTrafficChart } from "./network-traffic-chart" +import { TemperatureDetailModal } from "./temperature-detail-modal" import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from "./ui/select" import { fetchApi } from "../lib/api-config" import { formatNetworkTraffic, getNetworkUnit } from "../lib/format-network" import { formatStorage } from "../lib/utils" +import { Area, AreaChart, ResponsiveContainer } from "recharts" + +interface TempDataPoint { + timestamp: number + value: number +} interface SystemData { cpu_usage: number @@ -18,6 +25,7 @@ interface SystemData { memory_total: number memory_used: number temperature: number + temperature_sparkline?: TempDataPoint[] uptime: string load_average: number[] hostname: string @@ -178,6 +186,7 @@ export function SystemOverview() { const [networkTimeframe, setNetworkTimeframe] = useState("day") const [networkTotals, setNetworkTotals] = useState<{ received: number; sent: number }>({ received: 0, sent: 0 }) const [networkUnit, setNetworkUnit] = useState<"Bytes" | "Bits">("Bytes") // Added networkUnit state + const [tempModalOpen, setTempModalOpen] = useState(false) useEffect(() => { const fetchAllData = async () => { @@ -458,27 +467,60 @@ export function SystemOverview() { - + 0 ? "cursor-pointer hover:bg-white/5 transition-colors" : ""}`} + onClick={() => systemData.temperature > 0 && setTempModalOpen(true)} + > Temperature -
- {systemData.temperature === 0 ? "N/A" : `${systemData.temperature}°C`} -
-
+
+ + {systemData.temperature === 0 ? "N/A" : `${Math.round(systemData.temperature * 10) / 10}°C`} + {tempStatus.status}
-

- {systemData.temperature === 0 ? "No sensor available" : "Live temperature reading"} -

+ {systemData.temperature > 0 && systemData.temperature_sparkline && systemData.temperature_sparkline.length > 1 ? ( +
+ + + + + = 75 ? "#ef4444" : systemData.temperature >= 60 ? "#f59e0b" : "#22c55e"} stopOpacity={0.3} /> + = 75 ? "#ef4444" : systemData.temperature >= 60 ? "#f59e0b" : "#22c55e"} stopOpacity={0} /> + + + = 75 ? "#ef4444" : systemData.temperature >= 60 ? "#f59e0b" : "#22c55e"} + strokeWidth={1.5} + fill="url(#tempSparkGradient)" + dot={false} + isAnimationActive={false} + /> + + +
+ ) : ( +

+ {systemData.temperature === 0 ? "No sensor available" : "Collecting data..."} +

+ )}
+ +
diff --git a/AppImage/scripts/flask_auth_routes.py b/AppImage/scripts/flask_auth_routes.py index c7a8c7f3..254cb76b 100644 --- a/AppImage/scripts/flask_auth_routes.py +++ b/AppImage/scripts/flask_auth_routes.py @@ -4,6 +4,10 @@ Provides REST API endpoints for authentication management """ import logging +import os +import subprocess +import threading +import time from flask import Blueprint, jsonify, request import auth_manager import jwt @@ -73,12 +77,36 @@ def ssl_status(): return jsonify({"success": False, "message": str(e)}), 500 +def _schedule_service_restart(delay=1.5): + """Schedule a restart of the monitor service via systemctl after a short delay. + This gives time for the HTTP response to reach the client before the process restarts.""" + def _do_restart(): + time.sleep(delay) + print("[ProxMenux] Restarting monitor service to apply SSL changes...") + # Use systemctl restart which properly stops and starts the service. + # This works because systemd manages proxmenux-monitor.service. + try: + subprocess.Popen( + ["systemctl", "restart", "proxmenux-monitor"], + stdout=subprocess.DEVNULL, + stderr=subprocess.DEVNULL + ) + except Exception as e: + print(f"[ProxMenux] Failed to restart via systemctl: {e}") + # Fallback: try to restart the process directly + os.kill(os.getpid(), 15) # SIGTERM + + t = threading.Thread(target=_do_restart, daemon=True) + t.start() + + @auth_bp.route('/api/ssl/configure', methods=['POST']) def ssl_configure(): """Configure SSL with Proxmox or custom certificates""" try: data = request.json or {} source = data.get("source", "proxmox") + auto_restart = data.get("auto_restart", True) if source == "proxmox": cert_path = auth_manager.PROXMOX_CERT_PATH @@ -92,7 +120,14 @@ def ssl_configure(): success, message = auth_manager.configure_ssl(cert_path, key_path, source) if success: - return jsonify({"success": True, "message": message, "requires_restart": True}) + if auto_restart: + _schedule_service_restart() + return jsonify({ + "success": True, + "message": "SSL enabled. The service is restarting...", + "restarting": auto_restart, + "new_protocol": "https" + }) else: return jsonify({"success": False, "message": message}), 400 except Exception as e: @@ -103,10 +138,20 @@ def ssl_configure(): def ssl_disable(): """Disable SSL and return to HTTP""" try: + data = request.json or {} + auto_restart = data.get("auto_restart", True) + success, message = auth_manager.disable_ssl() if success: - return jsonify({"success": True, "message": message, "requires_restart": True}) + if auto_restart: + _schedule_service_restart() + return jsonify({ + "success": True, + "message": "SSL disabled. The service is restarting...", + "restarting": auto_restart, + "new_protocol": "http" + }) else: return jsonify({"success": False, "message": message}), 400 except Exception as e: diff --git a/AppImage/scripts/flask_security_routes.py b/AppImage/scripts/flask_security_routes.py index 426145da..9870c72b 100644 --- a/AppImage/scripts/flask_security_routes.py +++ b/AppImage/scripts/flask_security_routes.py @@ -106,6 +106,39 @@ def firewall_delete_rule(): return jsonify({"success": False, "message": str(e)}), 500 +@security_bp.route('/api/security/firewall/rules/edit', methods=['PUT']) +def firewall_edit_rule(): + """Edit an existing firewall rule (delete old + insert new at same position)""" + if not security_manager: + return jsonify({"success": False, "message": "Security manager not available"}), 500 + try: + data = request.json or {} + rule_index = data.get("rule_index") + level = data.get("level", "host") + new_rule = data.get("new_rule", {}) + if rule_index is None: + return jsonify({"success": False, "message": "rule_index is required"}), 400 + + success, message = security_manager.edit_firewall_rule( + rule_index=int(rule_index), + level=level, + direction=new_rule.get("direction", "IN"), + action=new_rule.get("action", "ACCEPT"), + protocol=new_rule.get("protocol", "tcp"), + dport=new_rule.get("dport", ""), + sport=new_rule.get("sport", ""), + source=new_rule.get("source", ""), + iface=new_rule.get("iface", ""), + comment=new_rule.get("comment", ""), + ) + if success: + return jsonify({"success": True, "message": message}) + else: + return jsonify({"success": False, "message": message}), 400 + except Exception as e: + return jsonify({"success": False, "message": str(e)}), 500 + + @security_bp.route('/api/security/firewall/monitor-port', methods=['POST']) def firewall_add_monitor_port(): """Add firewall rule to allow port 8008 for ProxMenux Monitor""" diff --git a/AppImage/scripts/security_manager.py b/AppImage/scripts/security_manager.py index 1a9472d6..8958a284 100644 --- a/AppImage/scripts/security_manager.py +++ b/AppImage/scripts/security_manager.py @@ -274,6 +274,96 @@ def add_firewall_rule(direction="IN", action="ACCEPT", protocol="tcp", dport="", return False, f"Failed to add firewall rule: {str(e)}" +def edit_firewall_rule(rule_index, level="host", direction="IN", action="ACCEPT", + protocol="tcp", dport="", sport="", source="", iface="", comment=""): + """ + Edit an existing firewall rule by replacing it in-place. + Deletes the old rule at rule_index and inserts the new one at the same position. + Returns (success, message) + """ + # Validate inputs + action = action.upper() + if action not in ("ACCEPT", "DROP", "REJECT"): + return False, f"Invalid action: {action}. Must be ACCEPT, DROP, or REJECT" + direction = direction.upper() + if direction not in ("IN", "OUT"): + return False, f"Invalid direction: {direction}. Must be IN or OUT" + + # Build new rule line + parts = [direction, action] + if protocol: + parts.extend(["-p", protocol.lower()]) + if dport: + if not re.match(r'^[\d:,]+$', dport): + return False, f"Invalid destination port: {dport}" + parts.extend(["-dport", dport]) + if sport: + if not re.match(r'^[\d:,]+$', sport): + return False, f"Invalid source port: {sport}" + parts.extend(["-sport", sport]) + if source: + parts.extend(["-source", source]) + if iface: + parts.extend(["-i", iface]) + parts.extend(["-log", "nolog"]) + if comment: + safe_comment = re.sub(r'[^\w\s\-._/():]', '', comment) + parts.append(f"# {safe_comment}") + new_rule_line = " ".join(parts) + + # Determine target file + if level == "cluster": + fw_file = CLUSTER_FW + else: + fw_file = os.path.join(HOST_FW_DIR, "host.fw") + + if not os.path.isfile(fw_file): + return False, "Firewall config file not found" + + try: + with open(fw_file, 'r') as f: + content = f.read() + + lines = content.splitlines() + new_lines = [] + in_rules = False + current_rule_idx = 0 + replaced = False + + for line in lines: + stripped = line.strip() + if stripped.startswith('['): + section_match = re.match(r'\[(\w+)\]', stripped) + if section_match: + section = section_match.group(1).upper() + in_rules = section in ("RULES", "IN", "OUT") + + if in_rules and stripped and not stripped.startswith('#') and not stripped.startswith('['): + if current_rule_idx == rule_index: + # Replace the old rule with the new one + new_lines.append(new_rule_line) + replaced = True + current_rule_idx += 1 + continue + current_rule_idx += 1 + + new_lines.append(line) + + if not replaced: + return False, f"Rule index {rule_index} not found" + + with open(fw_file, 'w') as f: + f.write("\n".join(new_lines) + "\n") + + _run_cmd(["pve-firewall", "reload"]) + + return True, f"Firewall rule updated: {direction} {action} {protocol}{':' + dport if dport else ''}" + except PermissionError: + return False, "Permission denied. Cannot modify firewall config." + except Exception as e: + return False, f"Failed to edit rule: {str(e)}" + + def delete_firewall_rule(rule_index, level="host"): """ Delete a firewall rule by index from host or cluster config. diff --git a/scripts/post_install/auto_post_install.sh b/scripts/post_install/auto_post_install.sh index 108e01d6..2b575398 100644 --- a/scripts/post_install/auto_post_install.sh +++ b/scripts/post_install/auto_post_install.sh @@ -238,8 +238,12 @@ Seal=no Compress=yes SystemMaxUse=64M RuntimeMaxUse=60M -MaxLevelStore=warning -MaxLevelSyslog=warning +# MaxLevelStore=info allows ProxMenux Monitor to display system logs correctly. +# Using "warning" causes the log viewer to show nearly identical entries across +# all date ranges (1d/3d/7d) because most activity is info-level. +# It also prevents Fail2Ban from detecting SSH/Proxmox auth failures via journal. +MaxLevelStore=info +MaxLevelSyslog=info MaxLevelKMsg=warning MaxLevelConsole=notice MaxLevelWall=crit @@ -787,8 +791,10 @@ Compress=yes SystemMaxUse=${USE_MB}M SystemKeepFree=${KEEP_MB}M RuntimeMaxUse=${RUNTIME_MB}M -MaxLevelStore=warning -MaxLevelSyslog=warning +# MaxLevelStore=info: required for ProxMenux Monitor log display and Fail2Ban detection. +# Using "warning" silently discards most system logs making date filters useless. +MaxLevelStore=info +MaxLevelSyslog=info MaxLevelKMsg=warning MaxLevelConsole=notice MaxLevelWall=crit