Skip to content
Browse files

[debops.ferm] Allow 'mdns' traffic on workstations

  • Loading branch information...
drybjed committed Aug 11, 2019
1 parent 34ee241 commit 88943b9d313451ecb07ec9be3ef84f71791d429c
Showing with 27 additions and 0 deletions.
  1. +9 −0 CHANGELOG.rst
  2. +18 −0 ansible/roles/debops.ferm/defaults/main.yml
@@ -69,6 +69,15 @@ LDAP
able to access SSH service from any host. Existing installations might need
to be updated manually to fix UID/GID or LDAP DN conflicts.

:ref:`debops.ferm` role

- If Avahi/mDNS support is present on a host, the :ref:`debops.ferm` role will
allow access through the ``mdns`` UDP port by default. This will most likely
happen on workstations and laptops with full desktop environments installed,
but not on servers with minimal install. To configure Avahi service or enable
it on servers, you can use the :ref:`debops.avahi` Ansible role.

:ref:`debops.lxc` role

@@ -507,6 +507,24 @@ ferm__default_rules:
dport: [ 'dhcpv6-client' ]
rule_state: '{{ "present" if ("ip6" in ferm__domains) else "absent" }}'

# Avahi is usually installed by default on workstations and laptops where
# it is useful. To manage Avahi on servers, you should enable the
# 'debops.avahi' Ansible role which will set up the same firewall rule.
- name: 'avahi'
type: 'accept'
dport: 'mdns'
saddr: '{{ avahi__allow | d([]) }}'
protocol: 'udp'
accept_any: True
rule_state: '{{ "present"
if ((ansible_local|d() and ansible_local.nsswitch|d() and
ansible_local.nsswitch.conf|d() and
"mdns4_minimal" in q("flattened",
ansible_local.nsswitch.conf.hosts|d([]))) and
(ansible_local|d(True) and ansible_local.avahi|d(True) and
else "absent" }}'

- name: 'jump_to_legacy_input_rules'
type: 'accept'
weight: '-10'

0 comments on commit 88943b9

Please sign in to comment.
You can’t perform that action at this time.