don't log igmp; drop multicast silently

2025-04-20 01:11:38 +02:00 · 2019-07-20 18:25:06 -07:00 · 2019-07-20 18:25:06 -07:00 · b7f53d8555
commit b7f53d8555
parent 6d7c298731
2 changed files with 30 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -10,9 +10,11 @@ is running on the same Raspberry Pi to be configured.

 ## Bootstrapping on Raspbian

-You will need ansible installed on the Raspberry Pi being configured.
+You will need ansible installed on the Raspberry Pi being configured.  This
+playbook relies on Ansible 2.8 or newer, which means you can no longer use
+`sudo apt-get install ansible`.  Instead, you must

-    $ sudo apt-get install ansible
+    $ sudo pip install ansible

 ## Configuration

--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -92,18 +92,43 @@
    port: ssh
    proto: tcp
    log: yes
+  tags:
+    - ufw
+
+- name: allow mDNS through UFW
+  ufw:
+    rule: allow
+    to_ip: 224.0.0.251
+    proto: igmp
+    log: no
+  tags:
+    - ufw
+
+- name: drop multicast without logging
+  ufw:
+    rule: deny
+    to_ip: 224.0.0.1
+    log: no
+  tags:
+    - ufw

 - name: set default incoming UFW policy to deny
  ufw:
    direction: incoming
    policy: deny
+  tags:
+    - ufw

- name: set default outgoing UFW policy to deny
+- name: set default outgoing UFW policy to allow
  ufw:
    direction: outgoing
    policy: allow
+  tags:
+    - ufw

 - name: enable UFW
  ufw:
    state: enabled
    logging: yes
+  tags:
+    - ufw