don't log igmp; drop multicast silently

README.md

@@ -10,9 +10,11 @@ is running on the same Raspberry Pi to be configured.
 
 ## Bootstrapping on Raspbian
 
-You will need ansible installed on the Raspberry Pi being configured.
+You will need ansible installed on the Raspberry Pi being configured.  This
+playbook relies on Ansible 2.8 or newer, which means you can no longer use
+`sudo apt-get install ansible`.  Instead, you must
 
-    $ sudo apt-get install ansible
+    $ sudo pip install ansible
 
 ## Configuration
 

roles/common/tasks/main.yml

@@ -92,18 +92,43 @@
     port: ssh
     proto: tcp
     log: yes
+  tags:
+    - ufw
+
+- name: allow mDNS through UFW
+  ufw:
+    rule: allow
+    to_ip: 224.0.0.251
+    proto: igmp
+    log: no
+  tags:
+    - ufw
+
+- name: drop multicast without logging
+  ufw:
+    rule: deny
+    to_ip: 224.0.0.1
+    log: no
+  tags:
+    - ufw
 
 - name: set default incoming UFW policy to deny
   ufw:
     direction: incoming
     policy: deny
+  tags:
+    - ufw
 
-- name: set default outgoing UFW policy to deny
+- name: set default outgoing UFW policy to allow
   ufw:
     direction: outgoing
     policy: allow
+  tags:
+    - ufw
 
 - name: enable UFW
   ufw:
     state: enabled
     logging: yes
+  tags:
+    - ufw