diff --git a/REFERENCE.md b/REFERENCE.md
index 0aed781..d52ac03 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -87,6 +87,7 @@ and Manager Daemons (MGR).
* [`nftables::rules::ssh`](#nftables--rules--ssh): manage in ssh
* [`nftables::rules::tor`](#nftables--rules--tor): manage in tor
* [`nftables::rules::wireguard`](#nftables--rules--wireguard): manage in wireguard
+* [`nftables::rules::wsd`](#nftables--rules--wsd): allow incoming webservice discovery
* [`nftables::services::dhcpv6_client`](#nftables--services--dhcpv6_client): Allow in and outbound traffic for DHCPv6 server
* [`nftables::services::openafs_client`](#nftables--services--openafs_client): Open inbound and outbound ports for an AFS client
@@ -1393,6 +1394,36 @@ wiregueard port
Default value: `[51820]`
+### `nftables::rules::wsd`
+
+allow incoming webservice discovery
+
+* **See also**
+ * https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
+
+#### Parameters
+
+The following parameters are available in the `nftables::rules::wsd` class:
+
+* [`ipv4`](#-nftables--rules--wsd--ipv4)
+* [`ipv6`](#-nftables--rules--wsd--ipv6)
+
+##### `ipv4`
+
+Data type: `Boolean`
+
+Allow ws-discovery over IPv4
+
+Default value: `true`
+
+##### `ipv6`
+
+Data type: `Boolean`
+
+Allow ws-discovery over IPv6
+
+Default value: `true`
+
### `nftables::services::dhcpv6_client`
Allow in and outbound traffic for DHCPv6 server
diff --git a/manifests/rules/wsd.pp b/manifests/rules/wsd.pp
new file mode 100644
index 0000000..0bfc0b3
--- /dev/null
+++ b/manifests/rules/wsd.pp
@@ -0,0 +1,23 @@
+#
+# @summary allow incoming webservice discovery
+#
+# @param ipv4 Allow ws-discovery over IPv4
+# @param ipv6 Allow ws-discovery over IPv6
+#
+# @see https://docs.oasis-open.org/ws-dd/ns/discovery/2009/01
+#
+class nftables::rules::wsd (
+ Boolean $ipv4 = true,
+ Boolean $ipv6 = true,
+) {
+ if $ipv4 {
+ nftables::rule { 'default_in-wsd_v4':
+ content => 'ip daddr 239.255.255.250 udp dport 3702 accept comment "accept ws-discovery"',
+ }
+ }
+ if $ipv6 {
+ nftables::rule { 'default_in-wsd_v6':
+ content => 'ip6 daddr ff02::c udp dport 3702 accept comment "accept ws-discovery"',
+ }
+ }
+}
diff --git a/spec/acceptance/all_rules_spec.rb b/spec/acceptance/all_rules_spec.rb
index 578b0ff..0786e9b 100644
--- a/spec/acceptance/all_rules_spec.rb
+++ b/spec/acceptance/all_rules_spec.rb
@@ -90,6 +90,7 @@ class { 'nftables':
include nftables::rules::ssdp
include nftables::rules::mdns
include nftables::rules::igmp
+ include nftables::rules::wsd
include nftables::rules::out::igmp
include nftables::rules::out::mldv2
include nftables::rules::out::mdns