c2bc72a8e9
apple / swift (push) Successful in 1m11s
android / android (push) Successful in 4m1s
apple / screenshots (push) Successful in 4m29s
arch / build-publish (push) Successful in 5m52s
ci / web (push) Successful in 1m16s
ci / docs-site (push) Successful in 1m11s
ci / rust (push) Successful in 4m54s
deb / build-publish (push) Successful in 3m0s
decky / build-publish (push) Successful in 24s
ci / bench (push) Successful in 4m44s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 32s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 2m50s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 2m30s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 53s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 2m18s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 10m14s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 10m5s
docker / deploy-docs (push) Successful in 22s
CachyOS ships ufw enabled by default (firewalld is not installed) — verified live on the .21 box — but the docs and shipped firewall openers claimed "CachyOS enables firewalld by default". Correct that everywhere and ship a ufw application profile (the one-liner analogue of the firewalld service files): - packaging/linux/punktfunk.ufw (new): [punktfunk-native], [punktfunk-gamestream], [punktfunk-web] profiles, installed to /etc/ufw/applications.d/punktfunk by the Arch (CachyOS) and .deb host packages. `sudo ufw allow punktfunk-native`. - packaging/linux/punktfunk-web.xml (new): firewalld service for the optional web console (TCP 47992), installed by the host package on arch/deb/rpm. Neither the native nor gamestream opener covered 47992, so a firewalld/ufw host that enabled punktfunk-web could not reach the console over the LAN. - Fix the "CachyOS enables firewalld" claim in arch.md, arch/README.md, debian/README.md, both firewalld service .xml comments, and the pacman scriptlet; firewalld now attributed to the spins that use it (EndeavourOS, Fedora/RHEL). - Docs present both one-liners (ufw + firewalld) whichever firewall you run, plus a console-opener step; postinst/scriptlet hints detect ufw as well as firewalld. The native data plane stays hole-punched (ephemeral UDP, no fixed port) — its openers correctly open only 9777/udp + mDNS; the stale "open a UDP range" note is replaced with the accurate outbound-UDP explanation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
39 lines
2.0 KiB
Plaintext
39 lines
2.0 KiB
Plaintext
# ufw application profile for the punktfunk host — installed to
|
|
# /etc/ufw/applications.d/punktfunk by the .deb and the Arch/CachyOS package.
|
|
#
|
|
# This is the ufw analogue of the firewalld service definitions
|
|
# (punktfunk-native.xml / punktfunk-gamestream.xml): it turns opening the host's
|
|
# ports into a one-liner on the distros that use ufw instead of firewalld
|
|
# (CachyOS ships ufw enabled; Debian/Ubuntu ship it installed-but-inactive). ufw
|
|
# reads this directory on every command, so no reload is needed after the
|
|
# package drops the file — just:
|
|
#
|
|
# sudo ufw allow punktfunk-native # the secure native punktfunk/1 host (the default)
|
|
# sudo ufw allow punktfunk-gamestream # add GameStream/Moonlight compat (opt-in)
|
|
# sudo ufw allow punktfunk-web # reach the web console from the LAN (if punktfunk-web is installed)
|
|
# sudo ufw app info punktfunk-native # show what a profile opens
|
|
#
|
|
# Same port map as the firewalld services. The punktfunk/1 DATA plane is an
|
|
# ephemeral UDP port chosen per session and is NOT listed here: the host
|
|
# hole-punches, so a deny-inbound firewall still works (it just adds ~2.5 s at
|
|
# session start). To open a fixed one instead, run the host with
|
|
# `serve --data-port 9778` and `sudo ufw allow 9778/udp`.
|
|
|
|
[punktfunk-native]
|
|
title=punktfunk host (native punktfunk/1)
|
|
description=punktfunk/1 native streaming: QUIC control plane + mDNS auto-discovery
|
|
ports=9777/udp|5353/udp
|
|
|
|
[punktfunk-gamestream]
|
|
title=punktfunk host (GameStream/Moonlight)
|
|
description=GameStream/Moonlight compatibility ports (opt-in, trusted LAN only)
|
|
ports=47984,47989,48010/tcp|47998:48010/udp|5353/udp
|
|
|
|
# The optional web console (the separate punktfunk-web package). Open only if you installed it and
|
|
# want to reach it from another device — it binds all interfaces on TCP 47992 (HTTPS, login-gated).
|
|
# The mgmt API (47990) is loopback-only and is deliberately not covered here.
|
|
[punktfunk-web]
|
|
title=punktfunk web console
|
|
description=The optional punktfunk management web console (HTTPS, login-gated) reachable from the LAN
|
|
ports=47992/tcp
|