Hi! I’m happy to submit a bug report/PR on this, but I ran into an issue when adding mosh support to my Trellis box.
In an attempt to open up Mosh ports (60000:61000) I messed up: I created a new rule in security.yml without defining a variable.
- type: dport_accept
dport: [mosh] # 👈 oopz
protocol: udp
Before I realized my mistake, I deployed, so the rule was created at /etc/ferm/filter-input.d/50_dport_accept_mosh.conf. The deploy failed when iptables didn’t know what to do with mosh.
I corrected the variable:
- type: dport_accept
dport: ["60000:61000"] # 👈 Strings work for port ranges
protocol: udp
…and re-deployed.
Ansible is set to delete rules in /etc/ferm/filter-input.d/, but it only deletes rules listed in ferm_input_list. The deploy failed: /etc/ferm/filter-input.d/50_dport_accept_mosh.conf still existed, so iptables refused to use the updated rules.
Should the ferm role be updated to just completely empty /etc/ferm/filter-input.d instead of only deleting rules in the list? It seems like that would be more stable, unless a user has manually defined ferm rules and dropped 'em in there.