From 4ba8b17f1b97b36e8e49f6e7287b920088a159a2 Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Thu, 17 Jul 2025 10:09:04 +0300
Subject: [PATCH] n/essentialsoftware.md: note systemd socket.BindIPv6Only
 behaviour and firewalld configuration

---
 n/essentialsoftware.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/n/essentialsoftware.md b/n/essentialsoftware.md
index 7bbe467..1dd33be 100644
--- a/n/essentialsoftware.md
+++ b/n/essentialsoftware.md
@@ -52,6 +52,7 @@ _{{ page.excerpt }}_
   - [`/etc/xdg/autostart`](#etcxdgautostart)
   - [`aminda-*.{service,socket}`](#aminda-servicesocket)
   - [systemd sockets](#systemd-sockets)
+    - [firewalld for systemd sockets](#firewalld-for-systemd-sockets)
 - [Remember!](#remember)
   - [Accessing UEFI setup without key smashing](#accessing-uefi-setup-without-key-smashing)
   - [Recovering selinux policy issues](#recovering-selinux-policy-issues)
@@ -565,6 +566,25 @@ sudo systemctl --global enable foot-server.socket
 sudo systemctl enable --now ssh.socket sshd.socket avahi-daemon.socket systemd-oomd.socket oidentd.socket
 ```
 
+Remember that systemd sockets are silly and listen only to `::` by default and
+since system administrators not-so-uncommonly set that to only mean IPv6 in
+order to avoid dotted-decimals, it may be desirable to have a
+`/etc/systemd/system/socket.d/dualstack-bind.conf` with
+
+```ini
+[Socket]
+BindIPv6Only=both
+```
+
+#### firewalld for systemd sockets
+
+```bash
+sudo firewall-cmd --add-service=ssh --permanent && sudo firewall-cmd --add-service=ssh --permanent --zone=home
+sudo firewall-cmd --add-service=ident --permanent && sudo firewall-cmd --add-service=ident --permanent --zone=home
+sudo firewall-cmd --add-service=mdns --permanent && sudo firewall-cmd --add-service=mdns --permanent --zone=home
+sudo firewall-cmd --reload
+```
+
 ## Remember!
 
 Not quite configuration, but I am not going to start inventing a new place for