feat(security): finish Windows firewall Public opt-in wiring + vuln-disclosure + doc cleanup
Firewall (the service.rs core landed in efb1ba2): scope the web-console rule
(TCP 47992) to Domain+Private by default with a `--allow-public-network` opt-in
that deletes-then-re-adds the rule, and add the installer "Allow connections on
Public networks" task (unchecked) forwarding the flag to `service install` and
`web setup`. Default is now trusted-networks-only; Public is explicit.
Vulnerability disclosure: SECURITY.md (report to security@punktfunk.com, scope,
SLAs, safe harbor), a Gitea issue-template contact link, a README security line,
and a Reporting section on the docs Security page.
Docs: the Security page now documents the Private/Domain firewall default (and
how to fix a misclassified-Public network / opt in); removed internal design-doc
and CLAUDE.md links from the user-facing docs.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -8,8 +8,8 @@ always-available host, run it as a service. There are two cases.
|
||||
|
||||
> The bundled unit `scripts/punktfunk-host.service` runs `serve --gamestream`, so it serves both the
|
||||
> native `punktfunk/1` plane and stock [Moonlight](/docs/moonlight) clients. For a **secure native-only
|
||||
> host** (no GameStream — its pairing runs over plain HTTP and its legacy encryption is weaker;
|
||||
> security-review #5/#9), drop `--gamestream` from the unit's `ExecStart` and use bare `serve`.
|
||||
> host** (no GameStream — its pairing runs over plain HTTP and its legacy encryption is weaker), drop
|
||||
> `--gamestream` from the unit's `ExecStart` and use bare `serve`.
|
||||
|
||||
## A. A desktop you log into
|
||||
|
||||
@@ -101,9 +101,15 @@ registers + starts the service for you (`/VERYSILENT` for unattended). Upgrades
|
||||
handled through Add/Remove Programs.
|
||||
|
||||
Prefer the CLI? Run `punktfunk-host service install` from an elevated prompt — see
|
||||
[Windows service](https://git.unom.io/unom/punktfunk/src/branch/main/docs/windows-service.md). For
|
||||
hardware encode you need a GPU — NVIDIA (NVENC), AMD (AMF), or Intel (QSV); the host falls back to
|
||||
software H.264 without one.
|
||||
[Windows Host](/docs/windows-host). For hardware encode you need a GPU — NVIDIA (NVENC), AMD (AMF), or
|
||||
Intel (QSV); the host falls back to software H.264 without one.
|
||||
|
||||
> **Firewall scope.** The installer opens the streaming + console ports on **Private and Domain**
|
||||
> networks only — not **Public**. If your LAN is (mis)classified Public, clients won't connect until
|
||||
> you set it to Private (Windows Settings → Network), and the host logs a warning when it's on a Public
|
||||
> network. For a trusted network Windows insists is Public, tick **"Allow connections on Public
|
||||
> networks"** at install (or pass `--allow-public-network` to `service install`). See
|
||||
> [Security & Safe Use](/docs/security) for the reasoning.
|
||||
|
||||
## Verifying
|
||||
|
||||
|
||||
Reference in New Issue
Block a user