fix(packaging): correct CachyOS firewall to ufw + ship ufw openers + web-console opener
apple / swift (push) Successful in 1m11s
android / android (push) Successful in 4m1s
apple / screenshots (push) Successful in 4m29s
arch / build-publish (push) Successful in 5m52s
ci / web (push) Successful in 1m16s
ci / docs-site (push) Successful in 1m11s
ci / rust (push) Successful in 4m54s
deb / build-publish (push) Successful in 3m0s
decky / build-publish (push) Successful in 24s
ci / bench (push) Successful in 4m44s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 32s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 2m50s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 2m30s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 53s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 2m18s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 10m14s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 10m5s
docker / deploy-docs (push) Successful in 22s
apple / swift (push) Successful in 1m11s
android / android (push) Successful in 4m1s
apple / screenshots (push) Successful in 4m29s
arch / build-publish (push) Successful in 5m52s
ci / web (push) Successful in 1m16s
ci / docs-site (push) Successful in 1m11s
ci / rust (push) Successful in 4m54s
deb / build-publish (push) Successful in 3m0s
decky / build-publish (push) Successful in 24s
ci / bench (push) Successful in 4m44s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 32s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 2m50s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 2m30s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 53s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 2m18s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 10m14s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 10m5s
docker / deploy-docs (push) Successful in 22s
CachyOS ships ufw enabled by default (firewalld is not installed) — verified live on the .21 box — but the docs and shipped firewall openers claimed "CachyOS enables firewalld by default". Correct that everywhere and ship a ufw application profile (the one-liner analogue of the firewalld service files): - packaging/linux/punktfunk.ufw (new): [punktfunk-native], [punktfunk-gamestream], [punktfunk-web] profiles, installed to /etc/ufw/applications.d/punktfunk by the Arch (CachyOS) and .deb host packages. `sudo ufw allow punktfunk-native`. - packaging/linux/punktfunk-web.xml (new): firewalld service for the optional web console (TCP 47992), installed by the host package on arch/deb/rpm. Neither the native nor gamestream opener covered 47992, so a firewalld/ufw host that enabled punktfunk-web could not reach the console over the LAN. - Fix the "CachyOS enables firewalld" claim in arch.md, arch/README.md, debian/README.md, both firewalld service .xml comments, and the pacman scriptlet; firewalld now attributed to the spins that use it (EndeavourOS, Fedora/RHEL). - Docs present both one-liners (ufw + firewalld) whichever firewall you run, plus a console-opener step; postinst/scriptlet hints detect ufw as well as firewalld. The native data plane stays hole-punched (ephemeral UDP, no fixed port) — its openers correctly open only 9777/udp + mDNS; the stale "open a UDP range" note is replaced with the accurate outbound-UDP explanation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -109,28 +109,40 @@ To set your own, edit that file and `systemctl --user restart punktfunk-web`. Fo
|
|||||||
## 5. Open the firewall (if you have one)
|
## 5. Open the firewall (if you have one)
|
||||||
|
|
||||||
**Stock Arch ships no firewall** — every port is already open, so you can skip this. But **CachyOS
|
**Stock Arch ships no firewall** — every port is already open, so you can skip this. But **CachyOS
|
||||||
enables `firewalld` by default**, and an Arch package never opens ports for you (it won't touch your
|
enables `ufw` by default** (firewalld is not installed), and some other spins (e.g. EndeavourOS)
|
||||||
running firewall), so on CachyOS the host is unreachable until you allow it.
|
enable **`firewalld`** — an Arch package never opens ports for you, so on those the host is
|
||||||
|
unreachable until you allow it.
|
||||||
|
|
||||||
The `punktfunk-host` package installs **firewalld service definitions** for exactly this, so
|
The `punktfunk-host` package installs openers for **both**, so it's a one-liner whichever you run:
|
||||||
enabling is one command. Reload once so firewalld sees the just-installed definition, add the
|
|
||||||
service, then reload to apply:
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
sudo firewall-cmd --reload
|
# ufw — CachyOS (and Ubuntu, once you enable ufw):
|
||||||
sudo firewall-cmd --permanent --add-service=punktfunk-native # the default native host
|
sudo ufw allow punktfunk-native # the secure native host (the default)
|
||||||
# --add-service=punktfunk-gamestream # …or add this for Moonlight compat
|
sudo ufw allow punktfunk-gamestream # …also this if you run `serve --gamestream` (Moonlight)
|
||||||
|
|
||||||
|
# firewalld — Fedora-like spins (EndeavourOS, …):
|
||||||
|
sudo firewall-cmd --reload # load the installed definition
|
||||||
|
sudo firewall-cmd --permanent --add-service=punktfunk-native
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
```
|
```
|
||||||
|
|
||||||
`punktfunk-native` opens the QUIC control port (UDP 9777) + mDNS discovery; add
|
`punktfunk-native` opens the QUIC control port (UDP 9777) + mDNS discovery; add
|
||||||
`punktfunk-gamestream` as well if you run `serve --gamestream` (the fixed Moonlight ports + mDNS).
|
`punktfunk-gamestream` as well if you run `serve --gamestream` (the fixed Moonlight ports + mDNS).
|
||||||
The media **data plane** uses an *ephemeral* UDP port per session (nothing fixed to open); a
|
The media **data plane** uses an *ephemeral* UDP port that the client opens with a hole-punch — the
|
||||||
restrictive firewall must also allow a UDP range. The web console (47992) and mgmt API (47990,
|
host streams back out through the path the client opened, so there's **nothing fixed to open** as
|
||||||
loopback-only) are **not** opened by these — reach the console from the host box, or open 47992
|
long as the firewall allows outbound UDP (the default for both ufw and firewalld).
|
||||||
yourself if you want it on the LAN. Not on firewalld? See
|
|
||||||
[`packaging/arch/README.md`](https://git.unom.io/unom/punktfunk/src/branch/main/packaging/arch/README.md#firewall)
|
Enabled the **web console** (`punktfunk-web`, above) and want to reach it from your phone or another
|
||||||
for the `ufw`/`nftables` port lists.
|
machine? It's not opened by the streaming rules — open its port too, the same one-liner way:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
sudo ufw allow punktfunk-web # ufw
|
||||||
|
sudo firewall-cmd --permanent --add-service=punktfunk-web && sudo firewall-cmd --reload # firewalld
|
||||||
|
```
|
||||||
|
|
||||||
|
That opens **TCP 47992** (HTTPS, login-gated). The mgmt API (47990) stays loopback-only and is never
|
||||||
|
opened. Full port lists (`nftables`, explicit ports) are in
|
||||||
|
[`packaging/arch/README.md`](https://git.unom.io/unom/punktfunk/src/branch/main/packaging/arch/README.md#firewall).
|
||||||
|
|
||||||
## 6. Connect a client
|
## 6. Connect a client
|
||||||
|
|
||||||
|
|||||||
+12
-4
@@ -134,14 +134,22 @@ package_punktfunk-host() {
|
|||||||
install -Dm0644 "$R/packaging/bazzite/gamescope-headless-session" \
|
install -Dm0644 "$R/packaging/bazzite/gamescope-headless-session" \
|
||||||
"$pkgdir/etc/gamescope-session-plus/sessions.d/steam"
|
"$pkgdir/etc/gamescope-session-plus/sessions.d/steam"
|
||||||
install -Dm0644 "$R/api/openapi.json" "$pkgdir/usr/share/punktfunk/openapi.json"
|
install -Dm0644 "$R/api/openapi.json" "$pkgdir/usr/share/punktfunk/openapi.json"
|
||||||
# firewalld service definitions — NOT auto-enabled (Arch packages never touch the admin's
|
# Firewall openers — NOT auto-enabled (an Arch package never touches the admin's running firewall).
|
||||||
# firewall). Stock Arch ships none, so they're a no-op there; CachyOS et al. ship firewalld, so
|
# Stock Arch ships no firewall; CachyOS ships ufw; some spins (EndeavourOS) enable firewalld — so we
|
||||||
# sudo firewall-cmd --reload && sudo firewall-cmd --permanent --add-service=punktfunk-gamestream && sudo firewall-cmd --reload
|
# install BOTH a ufw application profile and firewalld service definitions, and the one for whatever
|
||||||
# (or =punktfunk-native). See README.md → Firewall.
|
# firewall you actually run is a one-liner. See README.md → Firewall.
|
||||||
|
# ufw: sudo ufw allow punktfunk-native (or punktfunk-gamestream)
|
||||||
|
# firewalld: sudo firewall-cmd --reload && sudo firewall-cmd --permanent --add-service=punktfunk-native && sudo firewall-cmd --reload
|
||||||
|
install -Dm0644 "$R/packaging/linux/punktfunk.ufw" \
|
||||||
|
"$pkgdir/etc/ufw/applications.d/punktfunk"
|
||||||
install -Dm0644 "$R/packaging/linux/punktfunk-gamestream.xml" \
|
install -Dm0644 "$R/packaging/linux/punktfunk-gamestream.xml" \
|
||||||
"$pkgdir/usr/lib/firewalld/services/punktfunk-gamestream.xml"
|
"$pkgdir/usr/lib/firewalld/services/punktfunk-gamestream.xml"
|
||||||
install -Dm0644 "$R/packaging/linux/punktfunk-native.xml" \
|
install -Dm0644 "$R/packaging/linux/punktfunk-native.xml" \
|
||||||
"$pkgdir/usr/lib/firewalld/services/punktfunk-native.xml"
|
"$pkgdir/usr/lib/firewalld/services/punktfunk-native.xml"
|
||||||
|
# Web console opener (TCP 47992) — only meaningful with the optional punktfunk-web package; opened
|
||||||
|
# deliberately (see README.md → Firewall). ufw's equivalent is the punktfunk-web profile above.
|
||||||
|
install -Dm0644 "$R/packaging/linux/punktfunk-web.xml" \
|
||||||
|
"$pkgdir/usr/lib/firewalld/services/punktfunk-web.xml"
|
||||||
install -Dm0644 "$R/LICENSE-MIT" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-MIT"
|
install -Dm0644 "$R/LICENSE-MIT" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-MIT"
|
||||||
install -Dm0644 "$R/LICENSE-APACHE" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-APACHE"
|
install -Dm0644 "$R/LICENSE-APACHE" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-APACHE"
|
||||||
install -Dm0644 "$R/README.md" "$pkgdir/usr/share/doc/punktfunk-host/README.md"
|
install -Dm0644 "$R/README.md" "$pkgdir/usr/share/doc/punktfunk-host/README.md"
|
||||||
|
|||||||
+40
-26
@@ -139,33 +139,45 @@ so it's a much lighter sysext than the host.
|
|||||||
|
|
||||||
**Stock Arch ships no firewall** — every port is open by default, so there is nothing to do.
|
**Stock Arch ships no firewall** — every port is open by default, so there is nothing to do.
|
||||||
Spins that enable one **do not** get their ports opened for you: an Arch package never touches the
|
Spins that enable one **do not** get their ports opened for you: an Arch package never touches the
|
||||||
admin's running firewall. **CachyOS is the common case** — its installer turns on `firewalld` by
|
admin's running firewall. **CachyOS is the common case** — it ships `ufw` enabled by default (not
|
||||||
default, so out of the box the host is unreachable until you allow it.
|
firewalld), so out of the box the host is unreachable until you allow it. Some other spins (e.g.
|
||||||
|
EndeavourOS) enable `firewalld` instead.
|
||||||
|
|
||||||
The `punktfunk-host` package ships **firewalld service definitions** (installed to
|
The `punktfunk-host` package ships openers for **both** — a ufw application profile
|
||||||
`/usr/lib/firewalld/services/`) so enabling is one command — pick the plane your host serves:
|
(`/etc/ufw/applications.d/punktfunk`) and firewalld service definitions
|
||||||
|
(`/usr/lib/firewalld/services/`) — so enabling is one command whichever you run:
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
# Reload once so firewalld picks up the just-installed service definition, add it, reload to apply.
|
# ufw (CachyOS, and Ubuntu once you enable ufw) — reads the profile at once, no reload needed:
|
||||||
sudo firewall-cmd --reload
|
sudo ufw allow punktfunk-native # the native-only host (the default)
|
||||||
sudo firewall-cmd --permanent --add-service=punktfunk-gamestream # Moonlight/GameStream host
|
sudo ufw allow punktfunk-gamestream # …or add this for the Moonlight/GameStream host
|
||||||
# --add-service=punktfunk-native # …or the native-only host
|
|
||||||
|
# firewalld (EndeavourOS and other Fedora-like spins):
|
||||||
|
sudo firewall-cmd --reload # pick up the installed def
|
||||||
|
sudo firewall-cmd --permanent --add-service=punktfunk-native
|
||||||
|
# --add-service=punktfunk-gamestream # …for the Moonlight host
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
```
|
```
|
||||||
|
|
||||||
`punktfunk-gamestream` opens the fixed Moonlight ports + mDNS; `punktfunk-native` opens the QUIC
|
`punktfunk-gamestream` opens the fixed Moonlight ports + mDNS; `punktfunk-native` opens the QUIC
|
||||||
control port (UDP 9777) + mDNS. Enable both if the host runs `serve --gamestream` (which serves
|
control port (UDP 9777) + mDNS. Enable both if the host runs `serve --gamestream` (which serves
|
||||||
both planes). The **data plane is an *ephemeral* UDP port** negotiated per session, so there is no
|
both planes). The **data plane is an *ephemeral* UDP port** the client opens with a hole-punch, so
|
||||||
fixed data port in either service; a restrictive firewall must additionally allow a UDP range (the
|
there is no fixed data port in either service — the host streams back out through the path the
|
||||||
project does not pin one). The mgmt REST API (TCP 47990) binds to loopback by default — leave it
|
client opened, which any firewall that allows outbound UDP (the default) passes. The mgmt REST API
|
||||||
closed unless you move it off loopback with `--mgmt-bind IP:PORT` (which then requires
|
(TCP 47990) binds to loopback by default — leave it closed unless you move it off loopback with
|
||||||
`--mgmt-token`).
|
`--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
|
||||||
|
|
||||||
For a non-firewalld setup, open the ports directly. The **native `punktfunk/1`** plane:
|
If you installed the **web console** (`punktfunk-web`) and want it reachable from another device,
|
||||||
|
open its port with the matching one-liner — `sudo ufw allow punktfunk-web` or `sudo firewall-cmd
|
||||||
|
--permanent --add-service=punktfunk-web && sudo firewall-cmd --reload` — which opens **TCP 47992**
|
||||||
|
(HTTPS, login-gated). The mgmt API (47990) stays loopback-only.
|
||||||
|
|
||||||
|
Prefer explicit rules (or a firewall the shipped profiles don't cover)? Open the ports directly.
|
||||||
|
The **native `punktfunk/1`** plane:
|
||||||
|
|
||||||
- **QUIC control plane: UDP 9777** (`serve --native-port N` to change).
|
- **QUIC control plane: UDP 9777** (`serve --native-port N` to change).
|
||||||
- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to
|
- **Data plane: an *ephemeral* UDP port** the client hole-punches — nothing to open inbound as long
|
||||||
open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one).
|
as outbound UDP is allowed (the host streams back out through the client-opened path).
|
||||||
|
|
||||||
And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with
|
And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with
|
||||||
`serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these:
|
`serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these:
|
||||||
@@ -181,14 +193,14 @@ And the **GameStream / Moonlight** ports (fixed) — only needed if you run the
|
|||||||
The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
|
The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
|
||||||
loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
|
loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
|
||||||
|
|
||||||
With `ufw`:
|
With `ufw` (explicit ports, instead of the shipped `punktfunk-native`/`punktfunk-gamestream` profile):
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
sudo ufw allow 9777/udp # punktfunk/1 control plane
|
sudo ufw allow 9777/udp # punktfunk/1 control plane
|
||||||
sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
|
sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
|
||||||
sudo ufw allow 47998:48010/udp
|
sudo ufw allow 47998,47999,48000/udp # GameStream video/control/audio
|
||||||
sudo ufw allow 5353/udp
|
sudo ufw allow 5353/udp # mDNS discovery
|
||||||
# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it.
|
# The punktfunk/1 data plane is an ephemeral UDP port the host hole-punches — nothing to open here.
|
||||||
```
|
```
|
||||||
|
|
||||||
With raw `nftables` (add to your `inet filter input` chain):
|
With raw `nftables` (add to your `inet filter input` chain):
|
||||||
@@ -196,18 +208,20 @@ With raw `nftables` (add to your `inet filter input` chain):
|
|||||||
```
|
```
|
||||||
udp dport 9777 accept # punktfunk/1 control plane
|
udp dport 9777 accept # punktfunk/1 control plane
|
||||||
tcp dport { 47984, 47989, 48010 } accept
|
tcp dport { 47984, 47989, 48010 } accept
|
||||||
udp dport { 47998-48010, 5353 } accept
|
udp dport { 47998-48000, 5353 } accept # GameStream video/control/audio + mDNS
|
||||||
# plus the ephemeral punktfunk/1 data port (a reserved UDP range).
|
# The punktfunk/1 data plane is an ephemeral UDP port the host hole-punches — a stateful chain that
|
||||||
|
# accepts ct state established,related (as this one should) passes the return with nothing extra.
|
||||||
```
|
```
|
||||||
|
|
||||||
## Files
|
## Files
|
||||||
- `PKGBUILD` — split package: `punktfunk-host` + `punktfunk-client` (builds the working tree via
|
- `PKGBUILD` — split package: `punktfunk-host` + `punktfunk-client` (builds the working tree via
|
||||||
`PF_SRCDIR`, or a git tag for AUR).
|
`PF_SRCDIR`, or a git tag for AUR).
|
||||||
- `punktfunk-host.install` / `punktfunk-client.install` — pacman scriptlets (udev reload + sysctl +
|
- `punktfunk-host.install` / `punktfunk-client.install` — pacman scriptlets (udev reload + sysctl +
|
||||||
first-run hint, incl. the firewalld enable command when firewalld is present), mirror the RPM
|
first-run hint, incl. the ufw/firewalld enable command for whichever is present), mirror the RPM
|
||||||
`%post` / deb postinst.
|
`%post` / deb postinst.
|
||||||
- The firewalld service definitions (`punktfunk-gamestream.xml` / `punktfunk-native.xml`) are shared
|
- The firewall openers are shared across all Linux packaging and live in [`../linux/`](../linux/):
|
||||||
across all Linux packaging and live in [`../linux/`](../linux/); the host package installs them to
|
the ufw application profile (`punktfunk.ufw` → `/etc/ufw/applications.d/punktfunk`) and the
|
||||||
`/usr/lib/firewalld/services/` (not auto-enabled; see Firewall above).
|
firewalld service definitions (`punktfunk-native.xml` / `punktfunk-gamestream.xml` /
|
||||||
|
`punktfunk-web.xml` → `/usr/lib/firewalld/services/`). None auto-enabled; see Firewall above.
|
||||||
- `build-sysext.sh` — wraps either built `.pkg.tar.zst` into a `systemd-sysext` `.raw` for SteamOS
|
- `build-sysext.sh` — wraps either built `.pkg.tar.zst` into a `systemd-sysext` `.raw` for SteamOS
|
||||||
(derives the name from the package, so it works for host or client).
|
(derives the name from the package, so it works for host or client).
|
||||||
|
|||||||
@@ -17,15 +17,24 @@ punktfunk-host installed.
|
|||||||
NOTE: encode is NVENC-only. Install 'nvidia-utils' on an NVIDIA host. An AMD Steam Deck is NOT
|
NOTE: encode is NVENC-only. Install 'nvidia-utils' on an NVIDIA host. An AMD Steam Deck is NOT
|
||||||
yet supported — it needs a VAAPI (hevc_vaapi) encoder backend (see packaging/arch/README.md).
|
yet supported — it needs a VAAPI (hevc_vaapi) encoder backend (see packaging/arch/README.md).
|
||||||
MSG
|
MSG
|
||||||
# Firewall: stock Arch ships none (ports already open), but CachyOS et al. enable firewalld. We
|
# Firewall: stock Arch ships none (ports already open); CachyOS ships ufw; some spins (EndeavourOS)
|
||||||
# install firewalld service definitions but never touch the running firewall — just point the way.
|
# enable firewalld. We install a ufw app profile AND firewalld service definitions but never touch
|
||||||
|
# the running firewall — just point the way for whichever is active.
|
||||||
|
if command -v ufw >/dev/null 2>&1; then
|
||||||
|
cat <<'MSG'
|
||||||
|
|
||||||
|
4. ufw is installed — open the streaming ports once (native-only host shown; add
|
||||||
|
'punktfunk-gamestream' as well for Moonlight compat):
|
||||||
|
sudo ufw allow punktfunk-native
|
||||||
|
MSG
|
||||||
|
fi
|
||||||
if command -v firewall-cmd >/dev/null 2>&1; then
|
if command -v firewall-cmd >/dev/null 2>&1; then
|
||||||
cat <<'MSG'
|
cat <<'MSG'
|
||||||
|
|
||||||
4. firewalld is active — open the streaming ports once (GameStream/Moonlight shown; use
|
4. firewalld is active — open the streaming ports once (native-only host shown; add
|
||||||
'punktfunk-native' instead for the native-only host):
|
'punktfunk-gamestream' as well for Moonlight compat):
|
||||||
sudo firewall-cmd --reload # load the new service def
|
sudo firewall-cmd --reload # load the new service def
|
||||||
sudo firewall-cmd --permanent --add-service=punktfunk-gamestream
|
sudo firewall-cmd --permanent --add-service=punktfunk-native
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
MSG
|
MSG
|
||||||
fi
|
fi
|
||||||
|
|||||||
+20
-12
@@ -53,23 +53,31 @@ journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p'
|
|||||||
## Firewall
|
## Firewall
|
||||||
|
|
||||||
**Debian ships no firewall and Ubuntu's `ufw` is installed-but-inactive by default**, so out of the
|
**Debian ships no firewall and Ubuntu's `ufw` is installed-but-inactive by default**, so out of the
|
||||||
box there is nothing to open. If you run one, open the ports the host listens on.
|
box there is nothing to open. If you turn one on, the `punktfunk-host` package ships a one-liner
|
||||||
|
opener for both **ufw** and **firewalld** (neither auto-enabled):
|
||||||
If you use **firewalld**, the `punktfunk-host` package installs service definitions to
|
|
||||||
`/usr/lib/firewalld/services/` (not auto-enabled), so it's one command:
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
|
# ufw (Ubuntu) — profile at /etc/ufw/applications.d/punktfunk, read at once (no reload):
|
||||||
|
sudo ufw allow punktfunk-native # the default native host
|
||||||
|
sudo ufw allow punktfunk-gamestream # …add for Moonlight compat
|
||||||
|
|
||||||
|
# firewalld — service definitions at /usr/lib/firewalld/services/:
|
||||||
sudo firewall-cmd --reload # load the installed definition
|
sudo firewall-cmd --reload # load the installed definition
|
||||||
sudo firewall-cmd --permanent --add-service=punktfunk-native # the default native host
|
sudo firewall-cmd --permanent --add-service=punktfunk-native
|
||||||
# --add-service=punktfunk-gamestream # …add for Moonlight compat
|
# --add-service=punktfunk-gamestream # …add for Moonlight compat
|
||||||
sudo firewall-cmd --reload
|
sudo firewall-cmd --reload
|
||||||
```
|
```
|
||||||
|
|
||||||
Otherwise open the ports directly. The **native `punktfunk/1`** plane:
|
If you installed the **web console** (`punktfunk-web`) and want it reachable from another device,
|
||||||
|
open its port with the matching one-liner — `sudo ufw allow punktfunk-web` or `sudo firewall-cmd
|
||||||
|
--permanent --add-service=punktfunk-web && sudo firewall-cmd --reload` — which opens **TCP 47992**
|
||||||
|
(HTTPS, login-gated). The mgmt API (47990) stays loopback-only.
|
||||||
|
|
||||||
|
Prefer explicit rules? Open the ports directly. The **native `punktfunk/1`** plane:
|
||||||
|
|
||||||
- **QUIC control plane: UDP 9777** (`serve --native-port N` to change).
|
- **QUIC control plane: UDP 9777** (`serve --native-port N` to change).
|
||||||
- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to
|
- **Data plane: an *ephemeral* UDP port** the client hole-punches — nothing to open inbound as long
|
||||||
open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one).
|
as outbound UDP is allowed (the host streams back out through the client-opened path).
|
||||||
|
|
||||||
And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with
|
And the **GameStream / Moonlight** ports (fixed) — only needed if you run the host with
|
||||||
`serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these:
|
`serve --gamestream` (opt-in, trusted LAN only); bare `serve` is native-only and doesn't open these:
|
||||||
@@ -85,14 +93,14 @@ And the **GameStream / Moonlight** ports (fixed) — only needed if you run the
|
|||||||
The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
|
The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
|
||||||
loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
|
loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
|
||||||
|
|
||||||
With `ufw`:
|
With `ufw` (explicit ports, instead of the shipped profile):
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
sudo ufw allow 9777/udp # punktfunk/1 control plane
|
sudo ufw allow 9777/udp # punktfunk/1 control plane
|
||||||
sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
|
sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
|
||||||
sudo ufw allow 47998:48010/udp
|
sudo ufw allow 47998,47999,48000/udp # GameStream video/control/audio
|
||||||
sudo ufw allow 5353/udp
|
sudo ufw allow 5353/udp # mDNS discovery
|
||||||
# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it.
|
# The punktfunk/1 data plane is an ephemeral UDP port the host hole-punches — nothing to open here.
|
||||||
```
|
```
|
||||||
|
|
||||||
With raw `nftables` (add to your `inet filter input` chain):
|
With raw `nftables` (add to your `inet filter input` chain):
|
||||||
|
|||||||
@@ -80,13 +80,19 @@ install -Dm0644 scripts/host.env.example "$SHAREDIR/host.env.example"
|
|||||||
install -Dm0644 packaging/bazzite/host.env "$SHAREDIR/host.env.bazzite"
|
install -Dm0644 packaging/bazzite/host.env "$SHAREDIR/host.env.bazzite"
|
||||||
install -Dm0644 packaging/kde/host.env "$SHAREDIR/host.env.kde"
|
install -Dm0644 packaging/kde/host.env "$SHAREDIR/host.env.kde"
|
||||||
install -Dm0644 api/openapi.json "$SHAREDIR/openapi.json"
|
install -Dm0644 api/openapi.json "$SHAREDIR/openapi.json"
|
||||||
# firewalld service definitions (shared across all Linux packaging). NOT auto-enabled — the postinst
|
# Firewall openers (shared across all Linux packaging), NOT auto-enabled — the postinst prints the
|
||||||
# only prints the enable command when firewalld is present. Debian/Ubuntu ship no active firewall
|
# enable command for whichever firewall is present. Debian ships none and Ubuntu's ufw is
|
||||||
# (Ubuntu's ufw is installed-but-inactive), so these are a no-op unless the admin runs firewalld.
|
# installed-but-inactive, so these are a no-op until the admin turns a firewall on.
|
||||||
|
install -Dm0644 packaging/linux/punktfunk.ufw \
|
||||||
|
"$STAGE/etc/ufw/applications.d/punktfunk"
|
||||||
install -Dm0644 packaging/linux/punktfunk-gamestream.xml \
|
install -Dm0644 packaging/linux/punktfunk-gamestream.xml \
|
||||||
"$STAGE/usr/lib/firewalld/services/punktfunk-gamestream.xml"
|
"$STAGE/usr/lib/firewalld/services/punktfunk-gamestream.xml"
|
||||||
install -Dm0644 packaging/linux/punktfunk-native.xml \
|
install -Dm0644 packaging/linux/punktfunk-native.xml \
|
||||||
"$STAGE/usr/lib/firewalld/services/punktfunk-native.xml"
|
"$STAGE/usr/lib/firewalld/services/punktfunk-native.xml"
|
||||||
|
# Web console opener (TCP 47992) — only meaningful with the optional punktfunk-web package; opened
|
||||||
|
# deliberately (see README.md → Firewall). ufw's equivalent is the punktfunk-web profile above.
|
||||||
|
install -Dm0644 packaging/linux/punktfunk-web.xml \
|
||||||
|
"$STAGE/usr/lib/firewalld/services/punktfunk-web.xml"
|
||||||
install -Dm0644 LICENSE-MIT "$DOCDIR/LICENSE-MIT"
|
install -Dm0644 LICENSE-MIT "$DOCDIR/LICENSE-MIT"
|
||||||
install -Dm0644 LICENSE-APACHE "$DOCDIR/LICENSE-APACHE"
|
install -Dm0644 LICENSE-APACHE "$DOCDIR/LICENSE-APACHE"
|
||||||
install -Dm0644 README.md "$DOCDIR/README.md"
|
install -Dm0644 README.md "$DOCDIR/README.md"
|
||||||
@@ -193,11 +199,14 @@ if [ "$1" = "configure" ]; then
|
|||||||
echo " sudo usermod -aG input \"\$USER\" # then re-login"
|
echo " sudo usermod -aG input \"\$USER\" # then re-login"
|
||||||
echo "Config: mkdir -p ~/.config/punktfunk && cp /usr/share/punktfunk-host/host.env.example ~/.config/punktfunk/host.env"
|
echo "Config: mkdir -p ~/.config/punktfunk && cp /usr/share/punktfunk-host/host.env.example ~/.config/punktfunk/host.env"
|
||||||
echo "Enable: systemctl --user enable --now punktfunk-host"
|
echo "Enable: systemctl --user enable --now punktfunk-host"
|
||||||
# Debian/Ubuntu ship no active firewall; only hint firewalld users (ufw users: see README).
|
# Debian ships no active firewall and Ubuntu's ufw is inactive by default; hint whichever is present.
|
||||||
|
if command -v ufw >/dev/null 2>&1; then
|
||||||
|
echo "Firewall (ufw detected): sudo ufw allow punktfunk-native (or punktfunk-gamestream for Moonlight)"
|
||||||
|
fi
|
||||||
if command -v firewall-cmd >/dev/null 2>&1; then
|
if command -v firewall-cmd >/dev/null 2>&1; then
|
||||||
echo "Firewall (firewalld detected): sudo firewall-cmd --reload &&"
|
echo "Firewall (firewalld detected): sudo firewall-cmd --reload &&"
|
||||||
echo " sudo firewall-cmd --permanent --add-service=punktfunk-gamestream && sudo firewall-cmd --reload"
|
echo " sudo firewall-cmd --permanent --add-service=punktfunk-native && sudo firewall-cmd --reload"
|
||||||
echo " (use punktfunk-native for the native-only host)"
|
echo " (use punktfunk-gamestream for the Moonlight-compat host)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
exit 0
|
exit 0
|
||||||
|
|||||||
@@ -4,9 +4,10 @@
|
|||||||
|
|
||||||
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. It is NOT enabled
|
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. It is NOT enabled
|
||||||
automatically: an Arch package never touches the admin's running firewall. Stock Arch ships no
|
automatically: an Arch package never touches the admin's running firewall. Stock Arch ships no
|
||||||
firewall (these ports are already open); Fedora/RHEL and CachyOS enable firewalld by default, so
|
firewall (these ports are already open); Fedora/RHEL and some Arch spins (EndeavourOS) enable
|
||||||
enable it once with firewall-cmd (add-service=punktfunk-gamestream, then reload). Exact commands:
|
firewalld by default, so enable it once with firewall-cmd (add-service=punktfunk-gamestream, then
|
||||||
your distro's install guide, or the per-distro packaging README (Firewall section).
|
reload). CachyOS and Ubuntu use ufw instead — the package also ships a ufw application profile
|
||||||
|
(punktfunk.ufw). Exact commands: your distro's install guide, or the per-distro packaging README.
|
||||||
|
|
||||||
Needed only when the host runs GameStream/Moonlight compat (serve with the gamestream flag). The
|
Needed only when the host runs GameStream/Moonlight compat (serve with the gamestream flag). The
|
||||||
mgmt REST API (TCP 47990) stays on loopback by default and is deliberately not opened here.
|
mgmt REST API (TCP 47990) stays on loopback by default and is deliberately not opened here.
|
||||||
|
|||||||
@@ -5,8 +5,9 @@
|
|||||||
|
|
||||||
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically
|
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically
|
||||||
(packages never touch the admin's firewall). Stock Arch/Debian ship no active firewall; Fedora/RHEL
|
(packages never touch the admin's firewall). Stock Arch/Debian ship no active firewall; Fedora/RHEL
|
||||||
and CachyOS enable firewalld by default, so enable it once with firewall-cmd
|
and some Arch spins (EndeavourOS) enable firewalld by default, so enable it once with firewall-cmd
|
||||||
(add-service=punktfunk-native, then reload). Exact commands: your distro's install guide, or the
|
(add-service=punktfunk-native, then reload). CachyOS and Ubuntu use ufw instead — the package also
|
||||||
|
ships a ufw application profile (punktfunk.ufw). Exact commands: your distro's install guide, or the
|
||||||
per-distro packaging README (Firewall section).
|
per-distro packaging README (Firewall section).
|
||||||
|
|
||||||
The media DATA plane binds an EPHEMERAL UDP port (0.0.0.0:0) chosen per session and reported to the
|
The media DATA plane binds an EPHEMERAL UDP port (0.0.0.0:0) chosen per session and reported to the
|
||||||
|
|||||||
@@ -0,0 +1,20 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<!--
|
||||||
|
firewalld service definition for the punktfunk management web console (the optional punktfunk-web
|
||||||
|
package: device pairing, status, GPU selection, performance graphs).
|
||||||
|
|
||||||
|
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically
|
||||||
|
(packages never touch the admin's firewall). Only useful if you installed the console (punktfunk-web)
|
||||||
|
AND want to reach it from another device on the LAN — the console binds all interfaces on TCP 47992
|
||||||
|
(HTTPS, login-gated). The streaming host itself does not need this open; enable it deliberately with
|
||||||
|
firewall-cmd (add-service=punktfunk-web, then reload). CachyOS/Ubuntu: use the ufw punktfunk-web
|
||||||
|
profile instead.
|
||||||
|
|
||||||
|
The mgmt REST API (TCP 47990) is a different, loopback-only surface (the console proxies to it
|
||||||
|
locally) and is deliberately NOT opened here.
|
||||||
|
-->
|
||||||
|
<service>
|
||||||
|
<short>Punktfunk web console</short>
|
||||||
|
<description>The optional punktfunk management web console (device pairing, status, GPU selection, performance graphs) over HTTPS. Open only if you run the punktfunk-web package and want the console reachable from other devices on the LAN.</description>
|
||||||
|
<port protocol="tcp" port="47992"/> <!-- HTTPS web console (login-gated) -->
|
||||||
|
</service>
|
||||||
@@ -0,0 +1,38 @@
|
|||||||
|
# ufw application profile for the punktfunk host — installed to
|
||||||
|
# /etc/ufw/applications.d/punktfunk by the .deb and the Arch/CachyOS package.
|
||||||
|
#
|
||||||
|
# This is the ufw analogue of the firewalld service definitions
|
||||||
|
# (punktfunk-native.xml / punktfunk-gamestream.xml): it turns opening the host's
|
||||||
|
# ports into a one-liner on the distros that use ufw instead of firewalld
|
||||||
|
# (CachyOS ships ufw enabled; Debian/Ubuntu ship it installed-but-inactive). ufw
|
||||||
|
# reads this directory on every command, so no reload is needed after the
|
||||||
|
# package drops the file — just:
|
||||||
|
#
|
||||||
|
# sudo ufw allow punktfunk-native # the secure native punktfunk/1 host (the default)
|
||||||
|
# sudo ufw allow punktfunk-gamestream # add GameStream/Moonlight compat (opt-in)
|
||||||
|
# sudo ufw allow punktfunk-web # reach the web console from the LAN (if punktfunk-web is installed)
|
||||||
|
# sudo ufw app info punktfunk-native # show what a profile opens
|
||||||
|
#
|
||||||
|
# Same port map as the firewalld services. The punktfunk/1 DATA plane is an
|
||||||
|
# ephemeral UDP port chosen per session and is NOT listed here: the host
|
||||||
|
# hole-punches, so a deny-inbound firewall still works (it just adds ~2.5 s at
|
||||||
|
# session start). To open a fixed one instead, run the host with
|
||||||
|
# `serve --data-port 9778` and `sudo ufw allow 9778/udp`.
|
||||||
|
|
||||||
|
[punktfunk-native]
|
||||||
|
title=punktfunk host (native punktfunk/1)
|
||||||
|
description=punktfunk/1 native streaming: QUIC control plane + mDNS auto-discovery
|
||||||
|
ports=9777/udp|5353/udp
|
||||||
|
|
||||||
|
[punktfunk-gamestream]
|
||||||
|
title=punktfunk host (GameStream/Moonlight)
|
||||||
|
description=GameStream/Moonlight compatibility ports (opt-in, trusted LAN only)
|
||||||
|
ports=47984,47989,48010/tcp|47998:48010/udp|5353/udp
|
||||||
|
|
||||||
|
# The optional web console (the separate punktfunk-web package). Open only if you installed it and
|
||||||
|
# want to reach it from another device — it binds all interfaces on TCP 47992 (HTTPS, login-gated).
|
||||||
|
# The mgmt API (47990) is loopback-only and is deliberately not covered here.
|
||||||
|
[punktfunk-web]
|
||||||
|
title=punktfunk web console
|
||||||
|
description=The optional punktfunk management web console (HTTPS, login-gated) reachable from the LAN
|
||||||
|
ports=47992/tcp
|
||||||
@@ -266,6 +266,9 @@ install -Dm0644 packaging/linux/punktfunk-gamestream.xml \
|
|||||||
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml
|
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml
|
||||||
install -Dm0644 packaging/linux/punktfunk-native.xml \
|
install -Dm0644 packaging/linux/punktfunk-native.xml \
|
||||||
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-native.xml
|
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-native.xml
|
||||||
|
# Web console opener (TCP 47992) — only meaningful with the web subpackage, opened deliberately.
|
||||||
|
install -Dm0644 packaging/linux/punktfunk-web.xml \
|
||||||
|
%{buildroot}%{_prefix}/lib/firewalld/services/punktfunk-web.xml
|
||||||
|
|
||||||
%if %{with web}
|
%if %{with web}
|
||||||
# --- web console subpackage (punktfunk-web) ---
|
# --- web console subpackage (punktfunk-web) ---
|
||||||
@@ -298,6 +301,7 @@ install -Dm0644 web/web.env.example %{buildroot}%{_datadir}/punkt
|
|||||||
%{_prefix}/lib/sysctl.d/99-punktfunk-net.conf
|
%{_prefix}/lib/sysctl.d/99-punktfunk-net.conf
|
||||||
%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml
|
%{_prefix}/lib/firewalld/services/punktfunk-gamestream.xml
|
||||||
%{_prefix}/lib/firewalld/services/punktfunk-native.xml
|
%{_prefix}/lib/firewalld/services/punktfunk-native.xml
|
||||||
|
%{_prefix}/lib/firewalld/services/punktfunk-web.xml
|
||||||
%{_userunitdir}/punktfunk-host.service
|
%{_userunitdir}/punktfunk-host.service
|
||||||
%{_userunitdir}/punktfunk-kde-session.service
|
%{_userunitdir}/punktfunk-kde-session.service
|
||||||
%{_datadir}/applications/io.unom.Punktfunk.Host.desktop
|
%{_datadir}/applications/io.unom.Punktfunk.Host.desktop
|
||||||
|
|||||||
Reference in New Issue
Block a user