From 40995928dea82b4a9183d7e6df8d0e063e87836a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 18 Nov 2025 14:09:46 +0300
Subject: [PATCH] =?UTF-8?q?fix:=20=D1=83=D0=BC=D0=BD=D0=B0=D1=8F=20=D0=BF?=
 =?UTF-8?q?=D1=80=D0=BE=D0=B2=D0=B5=D1=80=D0=BA=D0=B0=20UFW=20=D0=BF=D1=80?=
 =?UTF-8?q?=D0=B0=D0=B2=D0=B8=D0=BB=20=D0=B1=D0=B5=D0=B7=20=D0=BF=D1=80?=
 =?UTF-8?q?=D0=B8=D0=BD=D1=83=D0=B4=D0=B8=D1=82=D0=B5=D0=BB=D1=8C=D0=BD?=
 =?UTF-8?q?=D0=BE=D0=B3=D0=BE=20reset?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Исправлена ошибка проверки SSH правила и добавлена интеллектуальная система управления правилами UFW.

Изменения:
- Добавлена функция check_rule_exists для проверки существующих правил (активный и неактивный UFW)
- Модифицирована verify_ssh_rule_exists: комбинированная проверка через ufw status и ufw show added
- Модифицированы add_ssh_rule и add_https_rule: проверка перед добавлением, нет дублирования
- Модифицирована main: опциональный reset только при подтверждении пользователя
- Сохранение существующих правил UFW без необходимости пересоздания

Проблемы решены:
- ufw status не показывает правила когда UFW неактивен
- Автоматический reset удалял все существующие правила
- Дублирование правил при повторном запуске скрипта

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 scripts/ufw-setup.sh | 100 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 96 insertions(+), 4 deletions(-)

diff --git a/scripts/ufw-setup.sh b/scripts/ufw-setup.sh
index cf66c0c..9fd3782 100755
--- a/scripts/ufw-setup.sh
+++ b/scripts/ufw-setup.sh
@@ -146,6 +146,13 @@ configure_ufw_defaults() {
 add_ssh_rule() {
     local ssh_port=$1
 
+    info "Checking SSH rule for port $ssh_port..."
+
+    if check_rule_exists "$ssh_port" "tcp"; then
+        success "SSH rule for port $ssh_port already exists - skipping"
+        return 0
+    fi
+
     info "Adding SSH rule for port $ssh_port..."
 
     if [[ "$DRY_RUN" == true ]]; then
@@ -158,6 +165,13 @@ add_ssh_rule() {
 }
 
 add_https_rule() {
+    info "Checking HTTPS rule..."
+
+    if check_rule_exists "443" "tcp"; then
+        success "HTTPS rule for port 443 already exists - skipping"
+        return 0
+    fi
+
     info "Adding HTTPS rule..."
 
     if [[ "$DRY_RUN" == true ]]; then
@@ -176,9 +190,38 @@ verify_ssh_rule_exists() {
         return 0
     fi
 
-    if ! ufw status | grep -q "$ssh_port/tcp"; then
-        error "SSH rule not found! This would block your SSH access. Aborting."
+    if ufw status | grep -q "Status: active"; then
+        if ufw status | grep -q "$ssh_port/tcp"; then
+            return 0
+        fi
+    else
+        if ufw show added | grep -q "allow $ssh_port/tcp"; then
+            return 0
+        fi
     fi
+
+    error "SSH rule not found! This would block your SSH access. Aborting."
+}
+
+check_rule_exists() {
+    local port=$1
+    local protocol="${2:-tcp}"
+
+    if [[ "$DRY_RUN" == true ]]; then
+        return 1
+    fi
+
+    if ufw status | grep -q "Status: active"; then
+        if ufw status | grep -q "$port/$protocol"; then
+            return 0
+        fi
+    else
+        if ufw show added | grep -q "allow $port/$protocol"; then
+            return 0
+        fi
+    fi
+
+    return 1
 }
 
 enable_ufw() {
@@ -212,6 +255,21 @@ display_ufw_status() {
     ufw status verbose
 }
 
+confirm_reset() {
+    echo ""
+    warning "WARNING: This will reset all existing UFW rules"
+    warning "All current firewall rules will be removed"
+    echo ""
+    read -p "Reset UFW rules? (yes/no): " -r
+    echo ""
+
+    if [[ $REPLY =~ ^[Yy][Ee][Ss]$ ]]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
 confirm_enable() {
     echo ""
     warning "WARNING: UFW will block all incoming traffic except SSH and HTTPS"
@@ -252,8 +310,42 @@ main() {
     info "Detected SSH port: $SSH_PORT"
     echo ""
 
-    reset_ufw_rules
-    configure_ufw_defaults
+    if [[ "$DRY_RUN" == false ]]; then
+        local ufw_active=false
+        if ufw status | grep -q "Status: active"; then
+            ufw_active=true
+            info "UFW is currently active"
+        else
+            info "UFW is currently inactive"
+        fi
+
+        if [[ "$ufw_active" == true ]]; then
+            info "Checking existing rules..."
+            local ssh_exists=false
+            local https_exists=false
+
+            if check_rule_exists "$SSH_PORT" "tcp"; then
+                ssh_exists=true
+            fi
+            if check_rule_exists "443" "tcp"; then
+                https_exists=true
+            fi
+
+            if [[ "$ssh_exists" == true && "$https_exists" == true ]]; then
+                success "Required rules (SSH:$SSH_PORT, HTTPS:443) already exist"
+                info "No reset needed - will add missing rules only"
+            else
+                warning "Some required rules are missing"
+                if confirm_reset; then
+                    reset_ufw_rules
+                    configure_ufw_defaults
+                fi
+            fi
+        else
+            info "UFW not active - configuring from scratch"
+            configure_ufw_defaults
+        fi
+    fi
 
     echo ""
     add_ssh_rule "$SSH_PORT"