Add NTP and HTTPS ports to firewalls

Add NTP as a used port, adds NTP and HTTPS to firewalls and adds an abbreviation for NTP.

Signed-off-by: darkexplosiveqwx <[email protected]>

Author: darkexplosiveqwx

docs/abbreviations.md

@@ -48,3 +48,4 @@
 *[URL]: Uniform Resource Locator, commonly known as "web address"
 *[REST]: Representational State Transfer - a software architecture for distributed systems like the World Wide Web (WWW)
 *[XSS]: Cross-site scripting
+*[NTP]: Network Time Protocol is used to synchronize the clocks of computers over a network

docs/main/prerequisites.md

@@ -78,9 +78,11 @@ Pi-hole needs a static IP address to properly function (a DHCP reservation is ju
 | pihole-FTL          | 547 (DHCPv6) | IPv6 UDP | The DHCP server is an optional feature that requires additional ports. |
 | pihole-FTL          | 80  (HTTP)<br/>443   (HTTPS)    | TCP      | If you have another webserver already listening on port `80`/`443`, then `pihole-FTL` will attempt to bind to `8080`/`8443` instead. If neither of these ports are available, `pihole-FTL`'s webserver will be unavailable until ports are configured manually (see configuration option `webserver.port`)  |
 | pihole-FTL          | 4711    | TCP      | FTL is our API engine and uses port 4711 on the localhost interface. This port should not be accessible from any other interface.|
+| pihole-FTL          | 123 (NTP)    | UDP      | The NTP server is an optional feature that requires an additional port. |
 
 !!! info
     The use of pihole-FTL on ports _67_ or _547_ is optional, but required if you use the DHCP functions of Pi-hole.
+    The use of port _123_ is required when using pihole-FTL as NTP-Server.
 
 ### Firewalls
 
@@ -97,12 +99,14 @@ IPTables (IPv4)
 
 ```bash
 iptables -I INPUT 1 -s 192.168.0.0/16 -p tcp -m tcp --dport 80 -j ACCEPT
+iptables -I INPUT 1 -s 192.168.0.0/16 -p tcp -m tcp --dport 443 -j ACCEPT
 iptables -I INPUT 1 -s 127.0.0.0/8 -p tcp -m tcp --dport 53 -j ACCEPT
 iptables -I INPUT 1 -s 127.0.0.0/8 -p udp -m udp --dport 53 -j ACCEPT
 iptables -I INPUT 1 -s 192.168.0.0/16 -p tcp -m tcp --dport 53 -j ACCEPT
 iptables -I INPUT 1 -s 192.168.0.0/16 -p udp -m udp --dport 53 -j ACCEPT
 iptables -I INPUT 1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
 iptables -I INPUT 1 -p tcp -m tcp --dport 4711 -i lo -j ACCEPT
+iptables -I INPUT 1 -p udp --dport 123 -j ACCEPT
 iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 ```
 
@@ -118,7 +122,7 @@ ip6tables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 Using the `--permanent` argument will ensure the firewall rules persist reboots. If only IPv4 blocking is used for the Pi-hole installation, the `dhcpv6` service can be removed from the commands below. Create a new zone for the local interface (`lo`) for the pihole-FTL ports to ensure the API is only accessible locally. Finally `--reload` to have the new firewall configuration take effect immediately.
 
 ```bash
-firewall-cmd --permanent --add-service=http --add-service=dns --add-service=dhcp --add-service=dhcpv6
+firewall-cmd --permanent --add-service=http --add-service=https --add-service=dns --add-service=dhcp --add-service=dhcpv6 --add-service=ntp
 firewall-cmd --permanent --new-zone=ftl
 firewall-cmd --permanent --zone=ftl --add-interface=lo
 firewall-cmd --permanent --zone=ftl --add-port=4711/tcp
@@ -133,10 +137,12 @@ IPv4:
 
 ```bash
 ufw allow 80/tcp
+ufw allow 443/tcp
 ufw allow 53/tcp
 ufw allow 53/udp
 ufw allow 67/tcp
 ufw allow 67/udp
+ufw allow 123/udp
 ```
 
 IPv6 (include above IPv4 rules):