fix(packaging): correct CachyOS firewall to ufw + ship ufw openers + web-console opener
apple / swift (push) Successful in 1m11s
android / android (push) Successful in 4m1s
apple / screenshots (push) Successful in 4m29s
arch / build-publish (push) Successful in 5m52s
ci / web (push) Successful in 1m16s
ci / docs-site (push) Successful in 1m11s
ci / rust (push) Successful in 4m54s
deb / build-publish (push) Successful in 3m0s
decky / build-publish (push) Successful in 24s
ci / bench (push) Successful in 4m44s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 32s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 2m50s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 2m30s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 53s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 2m18s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 10m14s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 10m5s
docker / deploy-docs (push) Successful in 22s

CachyOS ships ufw enabled by default (firewalld is not installed) — verified live
on the .21 box — but the docs and shipped firewall openers claimed "CachyOS enables
firewalld by default". Correct that everywhere and ship a ufw application profile
(the one-liner analogue of the firewalld service files):

- packaging/linux/punktfunk.ufw (new): [punktfunk-native], [punktfunk-gamestream],
  [punktfunk-web] profiles, installed to /etc/ufw/applications.d/punktfunk by the
  Arch (CachyOS) and .deb host packages. `sudo ufw allow punktfunk-native`.
- packaging/linux/punktfunk-web.xml (new): firewalld service for the optional web
  console (TCP 47992), installed by the host package on arch/deb/rpm. Neither the
  native nor gamestream opener covered 47992, so a firewalld/ufw host that enabled
  punktfunk-web could not reach the console over the LAN.
- Fix the "CachyOS enables firewalld" claim in arch.md, arch/README.md,
  debian/README.md, both firewalld service .xml comments, and the pacman scriptlet;
  firewalld now attributed to the spins that use it (EndeavourOS, Fedora/RHEL).
- Docs present both one-liners (ufw + firewalld) whichever firewall you run, plus a
  console-opener step; postinst/scriptlet hints detect ufw as well as firewalld.

The native data plane stays hole-punched (ephemeral UDP, no fixed port) — its
openers correctly open only 9777/udp + mDNS; the stale "open a UDP range" note is
replaced with the accurate outbound-UDP explanation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-05 16:52:35 +00:00
parent e27718b406
commit c2bc72a8e9
11 changed files with 197 additions and 73 deletions
+26 -14
View File
@@ -109,28 +109,40 @@ To set your own, edit that file and `systemctl --user restart punktfunk-web`. Fo
## 5. Open the firewall (if you have one) ## 5. Open the firewall (if you have one)
**Stock Arch ships no firewall** — every port is already open, so you can skip this. But **CachyOS **Stock Arch ships no firewall** — every port is already open, so you can skip this. But **CachyOS
enables `firewalld` by default**, and an Arch package never opens ports for you (it won't touch your enables `ufw` by default** (firewalld is not installed), and some other spins (e.g. EndeavourOS)
running firewall), so on CachyOS the host is unreachable until you allow it. enable **`firewalld`** — an Arch package never opens ports for you, so on those the host is
unreachable until you allow it.
The `punktfunk-host` package installs **firewalld service definitions** for exactly this, so The `punktfunk-host` package installs openers for **both**, so it's a one-liner whichever you run:
enabling is one command. Reload once so firewalld sees the just-installed definition, add the
service, then reload to apply:
```sh ```sh
sudo firewall-cmd --reload # ufw — CachyOS (and Ubuntu, once you enable ufw):
sudo firewall-cmd --permanent --add-service=punktfunk-native # the default native host sudo ufw allow punktfunk-native # the secure native host (the default)
# --add-service=punktfunk-gamestream # …or add this for Moonlight compat sudo ufw allow punktfunk-gamestream # …also this if you run `serve --gamestream` (Moonlight)
# firewalld — Fedora-like spins (EndeavourOS, …):
sudo firewall-cmd --reload # load the installed definition
sudo firewall-cmd --permanent --add-service=punktfunk-native
sudo firewall-cmd --reload sudo firewall-cmd --reload
``` ```
`punktfunk-native` opens the QUIC control port (UDP 9777) + mDNS discovery; add `punktfunk-native` opens the QUIC control port (UDP 9777) + mDNS discovery; add
`punktfunk-gamestream` as well if you run `serve --gamestream` (the fixed Moonlight ports + mDNS). `punktfunk-gamestream` as well if you run `serve --gamestream` (the fixed Moonlight ports + mDNS).
The media **data plane** uses an *ephemeral* UDP port per session (nothing fixed to open); a The media **data plane** uses an *ephemeral* UDP port that the client opens with a hole-punch — the
restrictive firewall must also allow a UDP range. The web console (47992) and mgmt API (47990, host streams back out through the path the client opened, so there's **nothing fixed to open** as
loopback-only) are **not** opened by these — reach the console from the host box, or open 47992 long as the firewall allows outbound UDP (the default for both ufw and firewalld).
yourself if you want it on the LAN. Not on firewalld? See
[`packaging/arch/README.md`](https://git.unom.io/unom/punktfunk/src/branch/main/packaging/arch/README.md#firewall) Enabled the **web console** (`punktfunk-web`, above) and want to reach it from your phone or another
for the `ufw`/`nftables` port lists. machine? It's not opened by the streaming rules — open its port too, the same one-liner way:
```sh
sudo ufw allow punktfunk-web # ufw
sudo firewall-cmd --permanent --add-service=punktfunk-web && sudo firewall-cmd --reload # firewalld
```
That opens **TCP 47992** (HTTPS, login-gated). The mgmt API (47990) stays loopback-only and is never
opened. Full port lists (`nftables`, explicit ports) are in
[`packaging/arch/README.md`](https://git.unom.io/unom/punktfunk/src/branch/main/packaging/arch/README.md#firewall).
## 6. Connect a client ## 6. Connect a client
+12 -4
View File
@@ -134,14 +134,22 @@ package_punktfunk-host() {
install -Dm0644 "$R/packaging/bazzite/gamescope-headless-session" \ install -Dm0644 "$R/packaging/bazzite/gamescope-headless-session" \
"$pkgdir/etc/gamescope-session-plus/sessions.d/steam" "$pkgdir/etc/gamescope-session-plus/sessions.d/steam"
install -Dm0644 "$R/api/openapi.json" "$pkgdir/usr/share/punktfunk/openapi.json" install -Dm0644 "$R/api/openapi.json" "$pkgdir/usr/share/punktfunk/openapi.json"
# firewalld service definitions — NOT auto-enabled (Arch packages never touch the admin's # Firewall openers — NOT auto-enabled (an Arch package never touches the admin's running firewall).
# firewall). Stock Arch ships none, so they're a no-op there; CachyOS et al. ship firewalld, so # Stock Arch ships no firewall; CachyOS ships ufw; some spins (EndeavourOS) enable firewalld so we
# sudo firewall-cmd --reload && sudo firewall-cmd --permanent --add-service=punktfunk-gamestream && sudo firewall-cmd --reload # install BOTH a ufw application profile and firewalld service definitions, and the one for whatever
# (or =punktfunk-native). See README.md → Firewall. # firewall you actually run is a one-liner. See README.md → Firewall.
# ufw: sudo ufw allow punktfunk-native (or punktfunk-gamestream)
# firewalld: sudo firewall-cmd --reload && sudo firewall-cmd --permanent --add-service=punktfunk-native && sudo firewall-cmd --reload
install -Dm0644 "$R/packaging/linux/punktfunk.ufw" \
"$pkgdir/etc/ufw/applications.d/punktfunk"
install -Dm0644 "$R/packaging/linux/punktfunk-gamestream.xml" \ install -Dm0644 "$R/packaging/linux/punktfunk-gamestream.xml" \
"$pkgdir/usr/lib/firewalld/services/punktfunk-gamestream.xml" "$pkgdir/usr/lib/firewalld/services/punktfunk-gamestream.xml"
install -Dm0644 "$R/packaging/linux/punktfunk-native.xml" \ install -Dm0644 "$R/packaging/linux/punktfunk-native.xml" \
"$pkgdir/usr/lib/firewalld/services/punktfunk-native.xml" "$pkgdir/usr/lib/firewalld/services/punktfunk-native.xml"
# Web console opener (TCP 47992) — only meaningful with the optional punktfunk-web package; opened
# deliberately (see README.md → Firewall). ufw's equivalent is the punktfunk-web profile above.
install -Dm0644 "$R/packaging/linux/punktfunk-web.xml" \
"$pkgdir/usr/lib/firewalld/services/punktfunk-web.xml"
install -Dm0644 "$R/LICENSE-MIT" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-MIT" install -Dm0644 "$R/LICENSE-MIT" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-MIT"
install -Dm0644 "$R/LICENSE-APACHE" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-APACHE" install -Dm0644 "$R/LICENSE-APACHE" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-APACHE"
install -Dm0644 "$R/README.md" "$pkgdir/usr/share/doc/punktfunk-host/README.md" install -Dm0644 "$R/README.md" "$pkgdir/usr/share/doc/punktfunk-host/README.md"
+40 -26
View File
@@ -139,33 +139,45 @@ so it's a much lighter sysext than the host.
**Stock Arch ships no firewall** — every port is open by default, so there is nothing to do. **Stock Arch ships no firewall** — every port is open by default, so there is nothing to do.
Spins that enable one **do not** get their ports opened for you: an Arch package never touches the Spins that enable one **do not** get their ports opened for you: an Arch package never touches the
admin's running firewall. **CachyOS is the common case** — its installer turns on `firewalld` by admin's running firewall. **CachyOS is the common case** — it ships `ufw` enabled by default (not
default, so out of the box the host is unreachable until you allow it. firewalld), so out of the box the host is unreachable until you allow it. Some other spins (e.g.
EndeavourOS) enable `firewalld` instead.
The `punktfunk-host` package ships **firewalld service definitions** (installed to The `punktfunk-host` package ships openers for **both** — a ufw application profile
`/usr/lib/firewalld/services/`) so enabling is one command — pick the plane your host serves: (`/etc/ufw/applications.d/punktfunk`) and firewalld service definitions
(`/usr/lib/firewalld/services/`) — so enabling is one command whichever you run:
```sh ```sh
# Reload once so firewalld picks up the just-installed service definition, add it, reload to apply. # ufw (CachyOS, and Ubuntu once you enable ufw) — reads the profile at once, no reload needed:
sudo firewall-cmd --reload sudo ufw allow punktfunk-native # the native-only host (the default)
sudo firewall-cmd --permanent --add-service=punktfunk-gamestream # Moonlight/GameStream host sudo ufw allow punktfunk-gamestream # …or add this for the Moonlight/GameStream host
# --add-service=punktfunk-native # …or the native-only host
# firewalld (EndeavourOS and other Fedora-like spins):
sudo firewall-cmd --reload # pick up the installed def
sudo firewall-cmd --permanent --add-service=punktfunk-native
# --add-service=punktfunk-gamestream # …for the Moonlight host
sudo firewall-cmd --reload sudo firewall-cmd --reload
``` ```
`punktfunk-gamestream` opens the fixed Moonlight ports + mDNS; `punktfunk-native` opens the QUIC `punktfunk-gamestream` opens the fixed Moonlight ports + mDNS; `punktfunk-native` opens the QUIC
control port (UDP 9777) + mDNS. Enable both if the host runs `serve --gamestream` (which serves control port (UDP 9777) + mDNS. Enable both if the host runs `serve --gamestream` (which serves
both planes). The **data plane is an *ephemeral* UDP port** negotiated per session, so there is no both planes). The **data plane is an *ephemeral* UDP port** the client opens with a hole-punch, so
fixed data port in either service; a restrictive firewall must additionally allow a UDP range (the there is no fixed data port in either service — the host streams back out through the path the
project does not pin one). The mgmt REST API (TCP 47990) binds to loopback by default — leave it client opened, which any firewall that allows outbound UDP (the default) passes. The mgmt REST API
closed unless you move it off loopback with `--mgmt-bind IP:PORT` (which then requires (TCP 47990) binds to loopback by default — leave it closed unless you move it off loopback with
`--mgmt-token`). `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
For a non-firewalld setup, open the ports directly. The **native `punktfunk/1`** plane: If you installed the **web console** (`punktfunk-web`) and want it reachable from another device,
open its port with the matching one-liner — `sudo ufw allow punktfunk-web` or `sudo firewall-cmd
--permanent --add-service=punktfunk-web && sudo firewall-cmd --reload` — which opens **TCP 47992**
(HTTPS, login-gated). The mgmt API (47990) stays loopback-only.
Prefer explicit rules (or a firewall the shipped profiles don't cover)? Open the ports directly.
The **native `punktfunk/1`** plane:
- **QUIC control plane: UDP 9777** (`serve --native-port N` to change). - **QUIC control plane: UDP 9777** (`serve --native-port N` to change).
- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to - **Data plane: an *ephemeral* UDP port** the client hole-punches — nothing to open inbound as long
open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one). as outbound UDP is allowed (the host streams back out through the client-opened path).
And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with
`serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these: `serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these:
@@ -181,14 +193,14 @@ And the **GameStream / Moonlight** ports (fixed) — only needed if you run the
The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`). loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
With `ufw`: With `ufw` (explicit ports, instead of the shipped `punktfunk-native`/`punktfunk-gamestream` profile):
```sh ```sh
sudo ufw allow 9777/udp # punktfunk/1 control plane sudo ufw allow 9777/udp # punktfunk/1 control plane
sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
sudo ufw allow 47998:48010/udp sudo ufw allow 47998,47999,48000/udp # GameStream video/control/audio
sudo ufw allow 5353/udp sudo ufw allow 5353/udp # mDNS discovery
# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it. # The punktfunk/1 data plane is an ephemeral UDP port the host hole-punches — nothing to open here.
``` ```
With raw `nftables` (add to your `inet filter input` chain): With raw `nftables` (add to your `inet filter input` chain):
@@ -196,18 +208,20 @@ With raw `nftables` (add to your `inet filter input` chain):
``` ```
udp dport 9777 accept # punktfunk/1 control plane udp dport 9777 accept # punktfunk/1 control plane
tcp dport { 47984, 47989, 48010 } accept tcp dport { 47984, 47989, 48010 } accept
udp dport { 47998-48010, 5353 } accept udp dport { 47998-48000, 5353 } accept # GameStream video/control/audio + mDNS
# plus the ephemeral punktfunk/1 data port (a reserved UDP range). # The punktfunk/1 data plane is an ephemeral UDP port the host hole-punches — a stateful chain that
# accepts ct state established,related (as this one should) passes the return with nothing extra.
``` ```
## Files ## Files
- `PKGBUILD` — split package: `punktfunk-host` + `punktfunk-client` (builds the working tree via - `PKGBUILD` — split package: `punktfunk-host` + `punktfunk-client` (builds the working tree via
`PF_SRCDIR`, or a git tag for AUR). `PF_SRCDIR`, or a git tag for AUR).
- `punktfunk-host.install` / `punktfunk-client.install` — pacman scriptlets (udev reload + sysctl + - `punktfunk-host.install` / `punktfunk-client.install` — pacman scriptlets (udev reload + sysctl +
first-run hint, incl. the firewalld enable command when firewalld is present), mirror the RPM first-run hint, incl. the ufw/firewalld enable command for whichever is present), mirror the RPM
`%post` / deb postinst. `%post` / deb postinst.
- The firewalld service definitions (`punktfunk-gamestream.xml` / `punktfunk-native.xml`) are shared - The firewall openers are shared across all Linux packaging and live in [`../linux/`](../linux/):
across all Linux packaging and live in [`../linux/`](../linux/); the host package installs them to the ufw application profile (`punktfunk.ufw``/etc/ufw/applications.d/punktfunk`) and the
`/usr/lib/firewalld/services/` (not auto-enabled; see Firewall above). firewalld service definitions (`punktfunk-native.xml` / `punktfunk-gamestream.xml` /
`punktfunk-web.xml``/usr/lib/firewalld/services/`). None auto-enabled; see Firewall above.
- `build-sysext.sh` — wraps either built `.pkg.tar.zst` into a `systemd-sysext` `.raw` for SteamOS - `build-sysext.sh` — wraps either built `.pkg.tar.zst` into a `systemd-sysext` `.raw` for SteamOS
(derives the name from the package, so it works for host or client). (derives the name from the package, so it works for host or client).
+14 -5
View File
@@ -17,15 +17,24 @@ punktfunk-host installed.
NOTE: encode is NVENC-only. Install 'nvidia-utils' on an NVIDIA host. An AMD Steam Deck is NOT NOTE: encode is NVENC-only. Install 'nvidia-utils' on an NVIDIA host. An AMD Steam Deck is NOT
yet supported — it needs a VAAPI (hevc_vaapi) encoder backend (see packaging/arch/README.md). yet supported — it needs a VAAPI (hevc_vaapi) encoder backend (see packaging/arch/README.md).
MSG MSG
# Firewall: stock Arch ships none (ports already open), but CachyOS et al. enable firewalld. We # Firewall: stock Arch ships none (ports already open); CachyOS ships ufw; some spins (EndeavourOS)
# install firewalld service definitions but never touch the running firewall — just point the way. # enable firewalld. We install a ufw app profile AND firewalld service definitions but never touch
# the running firewall — just point the way for whichever is active.
if command -v ufw >/dev/null 2>&1; then
cat <<'MSG'
4. ufw is installed — open the streaming ports once (native-only host shown; add
'punktfunk-gamestream' as well for Moonlight compat):
sudo ufw allow punktfunk-native
MSG
fi
if command -v firewall-cmd >/dev/null 2>&1; then if command -v firewall-cmd >/dev/null 2>&1; then
cat <<'MSG' cat <<'MSG'
4. firewalld is active — open the streaming ports once (GameStream/Moonlight shown; use 4. firewalld is active — open the streaming ports once (native-only host shown; add
'punktfunk-native' instead for the native-only host): 'punktfunk-gamestream' as well for Moonlight compat):
sudo firewall-cmd --reload # load the new service def sudo firewall-cmd --reload # load the new service def
sudo firewall-cmd --permanent --add-service=punktfunk-gamestream sudo firewall-cmd --permanent --add-service=punktfunk-native
sudo firewall-cmd --reload sudo firewall-cmd --reload
MSG MSG
fi fi
+20 -12
View File
@@ -53,23 +53,31 @@ journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p'
## Firewall ## Firewall
**Debian ships no firewall and Ubuntu's `ufw` is installed-but-inactive by default**, so out of the **Debian ships no firewall and Ubuntu's `ufw` is installed-but-inactive by default**, so out of the
box there is nothing to open. If you run one, open the ports the host listens on. box there is nothing to open. If you turn one on, the `punktfunk-host` package ships a one-liner
opener for both **ufw** and **firewalld** (neither auto-enabled):
If you use **firewalld**, the `punktfunk-host` package installs service definitions to
`/usr/lib/firewalld/services/` (not auto-enabled), so it's one command:
```sh ```sh
# ufw (Ubuntu) — profile at /etc/ufw/applications.d/punktfunk, read at once (no reload):
sudo ufw allow punktfunk-native # the default native host
sudo ufw allow punktfunk-gamestream # …add for Moonlight compat
# firewalld — service definitions at /usr/lib/firewalld/services/:
sudo firewall-cmd --reload # load the installed definition sudo firewall-cmd --reload # load the installed definition
sudo firewall-cmd --permanent --add-service=punktfunk-native # the default native host sudo firewall-cmd --permanent --add-service=punktfunk-native
# --add-service=punktfunk-gamestream # …add for Moonlight compat # --add-service=punktfunk-gamestream # …add for Moonlight compat
sudo firewall-cmd --reload sudo firewall-cmd --reload
``` ```
Otherwise open the ports directly. The **native `punktfunk/1`** plane: If you installed the **web console** (`punktfunk-web`) and want it reachable from another device,
open its port with the matching one-liner — `sudo ufw allow punktfunk-web` or `sudo firewall-cmd
--permanent --add-service=punktfunk-web && sudo firewall-cmd --reload` — which opens **TCP 47992**
(HTTPS, login-gated). The mgmt API (47990) stays loopback-only.
Prefer explicit rules? Open the ports directly. The **native `punktfunk/1`** plane:
- **QUIC control plane: UDP 9777** (`serve --native-port N` to change). - **QUIC control plane: UDP 9777** (`serve --native-port N` to change).
- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to - **Data plane: an *ephemeral* UDP port** the client hole-punches — nothing to open inbound as long
open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one). as outbound UDP is allowed (the host streams back out through the client-opened path).
And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with
`serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these: `serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these:
@@ -85,14 +93,14 @@ And the **GameStream / Moonlight** ports (fixed) — only needed if you run the
The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`). loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
With `ufw`: With `ufw` (explicit ports, instead of the shipped profile):
```sh ```sh
sudo ufw allow 9777/udp # punktfunk/1 control plane sudo ufw allow 9777/udp # punktfunk/1 control plane
sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
sudo ufw allow 47998:48010/udp sudo ufw allow 47998,47999,48000/udp # GameStream video/control/audio
sudo ufw allow 5353/udp sudo ufw allow 5353/udp # mDNS discovery
# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it. # The punktfunk/1 data plane is an ephemeral UDP port the host hole-punches — nothing to open here.
``` ```
With raw `nftables` (add to your `inet filter input` chain): With raw `nftables` (add to your `inet filter input` chain):
+15 -6
View File
@@ -80,13 +80,19 @@ install -Dm0644 scripts/host.env.example "$SHAREDIR/host.env.example"
install -Dm0644 packaging/bazzite/host.env "$SHAREDIR/host.env.bazzite" install -Dm0644 packaging/bazzite/host.env "$SHAREDIR/host.env.bazzite"
install -Dm0644 packaging/kde/host.env "$SHAREDIR/host.env.kde" install -Dm0644 packaging/kde/host.env "$SHAREDIR/host.env.kde"
install -Dm0644 api/openapi.json "$SHAREDIR/openapi.json" install -Dm0644 api/openapi.json "$SHAREDIR/openapi.json"
# firewalld service definitions (shared across all Linux packaging). NOT auto-enabled — the postinst # Firewall openers (shared across all Linux packaging), NOT auto-enabled — the postinst prints the
# only prints the enable command when firewalld is present. Debian/Ubuntu ship no active firewall # enable command for whichever firewall is present. Debian ships none and Ubuntu's ufw is
# (Ubuntu's ufw is installed-but-inactive), so these are a no-op unless the admin runs firewalld. # installed-but-inactive, so these are a no-op until the admin turns a firewall on.
install -Dm0644 packaging/linux/punktfunk.ufw \
"$STAGE/etc/ufw/applications.d/punktfunk"
install -Dm0644 packaging/linux/punktfunk-gamestream.xml \ install -Dm0644 packaging/linux/punktfunk-gamestream.xml \
"$STAGE/usr/lib/firewalld/services/punktfunk-gamestream.xml" "$STAGE/usr/lib/firewalld/services/punktfunk-gamestream.xml"
install -Dm0644 packaging/linux/punktfunk-native.xml \ install -Dm0644 packaging/linux/punktfunk-native.xml \
"$STAGE/usr/lib/firewalld/services/punktfunk-native.xml" "$STAGE/usr/lib/firewalld/services/punktfunk-native.xml"
# Web console opener (TCP 47992) — only meaningful with the optional punktfunk-web package; opened
# deliberately (see README.md → Firewall). ufw's equivalent is the punktfunk-web profile above.
install -Dm0644 packaging/linux/punktfunk-web.xml \
"$STAGE/usr/lib/firewalld/services/punktfunk-web.xml"
install -Dm0644 LICENSE-MIT "$DOCDIR/LICENSE-MIT" install -Dm0644 LICENSE-MIT "$DOCDIR/LICENSE-MIT"
install -Dm0644 LICENSE-APACHE "$DOCDIR/LICENSE-APACHE" install -Dm0644 LICENSE-APACHE "$DOCDIR/LICENSE-APACHE"
install -Dm0644 README.md "$DOCDIR/README.md" install -Dm0644 README.md "$DOCDIR/README.md"
@@ -193,11 +199,14 @@ if [ "$1" = "configure" ]; then
echo " sudo usermod -aG input \"\$USER\" # then re-login" echo " sudo usermod -aG input \"\$USER\" # then re-login"
echo "Config: mkdir -p ~/.config/punktfunk && cp /usr/share/punktfunk-host/host.env.example ~/.config/punktfunk/host.env" echo "Config: mkdir -p ~/.config/punktfunk && cp /usr/share/punktfunk-host/host.env.example ~/.config/punktfunk/host.env"
echo "Enable: systemctl --user enable --now punktfunk-host" echo "Enable: systemctl --user enable --now punktfunk-host"
# Debian/Ubuntu ship no active firewall; only hint firewalld users (ufw users: see README). # Debian ships no active firewall and Ubuntu's ufw is inactive by default; hint whichever is present.
if command -v ufw >/dev/null 2>&1; then
echo "Firewall (ufw detected): sudo ufw allow punktfunk-native (or punktfunk-gamestream for Moonlight)"
fi
if command -v firewall-cmd >/dev/null 2>&1; then if command -v firewall-cmd >/dev/null 2>&1; then
echo "Firewall (firewalld detected): sudo firewall-cmd --reload &&" echo "Firewall (firewalld detected): sudo firewall-cmd --reload &&"
echo " sudo firewall-cmd --permanent --add-service=punktfunk-gamestream && sudo firewall-cmd --reload" echo " sudo firewall-cmd --permanent --add-service=punktfunk-native && sudo firewall-cmd --reload"
echo " (use punktfunk-native for the native-only host)" echo " (use punktfunk-gamestream for the Moonlight-compat host)"
fi fi
fi fi
exit 0 exit 0
+4 -3
View File
@@ -4,9 +4,10 @@
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. It is NOT enabled Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. It is NOT enabled
automatically: an Arch package never touches the admin's running firewall. Stock Arch ships no automatically: an Arch package never touches the admin's running firewall. Stock Arch ships no
firewall (these ports are already open); Fedora/RHEL and CachyOS enable firewalld by default, so firewall (these ports are already open); Fedora/RHEL and some Arch spins (EndeavourOS) enable
enable it once with firewall-cmd (add-service=punktfunk-gamestream, then reload). Exact commands: firewalld by default, so enable it once with firewall-cmd (add-service=punktfunk-gamestream, then
your distro's install guide, or the per-distro packaging README (Firewall section). reload). CachyOS and Ubuntu use ufw instead — the package also ships a ufw application profile
(punktfunk.ufw). Exact commands: your distro's install guide, or the per-distro packaging README.
Needed only when the host runs GameStream/Moonlight compat (serve with the gamestream flag). The Needed only when the host runs GameStream/Moonlight compat (serve with the gamestream flag). The
mgmt REST API (TCP 47990) stays on loopback by default and is deliberately not opened here. mgmt REST API (TCP 47990) stays on loopback by default and is deliberately not opened here.
+3 -2
View File
@@ -5,8 +5,9 @@
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically
(packages never touch the admin's firewall). Stock Arch/Debian ship no active firewall; Fedora/RHEL (packages never touch the admin's firewall). Stock Arch/Debian ship no active firewall; Fedora/RHEL
and CachyOS enable firewalld by default, so enable it once with firewall-cmd and some Arch spins (EndeavourOS) enable firewalld by default, so enable it once with firewall-cmd
(add-service=punktfunk-native, then reload). Exact commands: your distro's install guide, or the (add-service=punktfunk-native, then reload). CachyOS and Ubuntu use ufw instead — the package also
ships a ufw application profile (punktfunk.ufw). Exact commands: your distro's install guide, or the
per-distro packaging README (Firewall section). per-distro packaging README (Firewall section).
The media DATA plane binds an EPHEMERAL UDP port (0.0.0.0:0) chosen per session and reported to the The media DATA plane binds an EPHEMERAL UDP port (0.0.0.0:0) chosen per session and reported to the
+20
View File
@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="utf-8"?>
<!--
firewalld service definition for the punktfunk management web console (the optional punktfunk-web
package: device pairing, status, GPU selection, performance graphs).
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically
(packages never touch the admin's firewall). Only useful if you installed the console (punktfunk-web)
AND want to reach it from another device on the LAN — the console binds all interfaces on TCP 47992
(HTTPS, login-gated). The streaming host itself does not need this open; enable it deliberately with
firewall-cmd (add-service=punktfunk-web, then reload). CachyOS/Ubuntu: use the ufw punktfunk-web
profile instead.
The mgmt REST API (TCP 47990) is a different, loopback-only surface (the console proxies to it
locally) and is deliberately NOT opened here.
-->
<service>
<short>Punktfunk web console</short>
<description>The optional punktfunk management web console (device pairing, status, GPU selection, performance graphs) over HTTPS. Open only if you run the punktfunk-web package and want the console reachable from other devices on the LAN.</description>
<port protocol="tcp" port="47992"/> <!-- HTTPS web console (login-gated) -->
</service>
+38
View File
@@ -0,0 +1,38 @@
# ufw application profile for the punktfunk host — installed to
# /etc/ufw/applications.d/punktfunk by the .deb and the Arch/CachyOS package.
#
# This is the ufw analogue of the firewalld service definitions
# (punktfunk-native.xml / punktfunk-gamestream.xml): it turns opening the host's
# ports into a one-liner on the distros that use ufw instead of firewalld
# (CachyOS ships ufw enabled; Debian/Ubuntu ship it installed-but-inactive). ufw
# reads this directory on every command, so no reload is needed after the
# package drops the file — just:
#
# sudo ufw allow punktfunk-native # the secure native punktfunk/1 host (the default)
# sudo ufw allow punktfunk-gamestream # add GameStream/Moonlight compat (opt-in)
# sudo ufw allow punktfunk-web # reach the web console from the LAN (if punktfunk-web is installed)
# sudo ufw app info punktfunk-native # show what a profile opens
#
# Same port map as the firewalld services. The punktfunk/1 DATA plane is an
# ephemeral UDP port chosen per session and is NOT listed here: the host
# hole-punches, so a deny-inbound firewall still works (it just adds ~2.5 s at
# session start). To open a fixed one instead, run the host with
# `serve --data-port 9778` and `sudo ufw allow 9778/udp`.
[punktfunk-native]
title=punktfunk host (native punktfunk/1)
description=punktfunk/1 native streaming: QUIC control plane + mDNS auto-discovery
ports=9777/udp|5353/udp
[punktfunk-gamestream]
title=punktfunk host (GameStream/Moonlight)
description=GameStream/Moonlight compatibility ports (opt-in, trusted LAN only)
ports=47984,47989,48010/tcp|47998:48010/udp|5353/udp
# The optional web console (the separate punktfunk-web package). Open only if you installed it and
# want to reach it from another device — it binds all interfaces on TCP 47992 (HTTPS, login-gated).
# The mgmt API (47990) is loopback-only and is deliberately not covered here.
[punktfunk-web]
title=punktfunk web console
description=The optional punktfunk management web console (HTTPS, login-gated) reachable from the LAN
ports=47992/tcp
+4
View File
@@ -266,6 +266,9 @@ install -Dm0644 packaging/linux/punktfunk-gamestream.xml \
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml %{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml
install -Dm0644 packaging/linux/punktfunk-native.xml \ install -Dm0644 packaging/linux/punktfunk-native.xml \
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-native.xml %{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-native.xml
# Web console opener (TCP 47992) — only meaningful with the web subpackage, opened deliberately.
install -Dm0644 packaging/linux/punktfunk-web.xml \
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-web.xml
%if %{with web} %if %{with web}
# --- web console subpackage (punktfunk-web) --- # --- web console subpackage (punktfunk-web) ---
@@ -298,6 +301,7 @@ install -Dm0644 web/web.env.example %{buildroot}%{_datadir}/punkt
%{_prefix}/lib/sysctl.d/99-punktfunk-net.conf %{_prefix}/lib/sysctl.d/99-punktfunk-net.conf
%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml %{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml
%{_prefix}/lib/firewalld/services/punktfunk-native.xml %{_prefix}/lib/firewalld/services/punktfunk-native.xml
%{_prefix}/lib/firewalld/services/punktfunk-web.xml
%{_userunitdir}/punktfunk-host.service %{_userunitdir}/punktfunk-host.service
%{_userunitdir}/punktfunk-kde-session.service %{_userunitdir}/punktfunk-kde-session.service
%{_datadir}/applications/io.unom.Punktfunk.Host.desktop %{_datadir}/applications/io.unom.Punktfunk.Host.desktop