#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=../common.sh
. "$SCRIPT_DIR/../common.sh"

require_cmd systemctl

if systemctl is-active --quiet firewalld; then
  log "[60] Remove masquerade in FedoraServer zone (single NAT on CPE)"
  sudo firewall-cmd --zone=FedoraServer --remove-masquerade --permanent || warn "remove-masquerade failed"
  # Ensure UDP 32237 open if you run wg-quick or NM WG on that port
  sudo firewall-cmd --zone=FedoraServer --add-port=32237/udp --permanent || true
  sudo firewall-cmd --reload || warn "firewalld reload failed"
else
  warn "[60] firewalld not active; skipping"
fi