How to securely load a firewall before networking gets up?
Felipe Sateler
fsateler at debian.org
Sat Jul 30 19:14:29 BST 2016
On 30 July 2016 at 13:58, Patrick Schleizer
<patrick-mailinglists at whonix.org> wrote:
> How to securely load a firewall before networking gets up?
>
> Can you provide a secure, recommended or even canonical example of such
> a firewall.service?
>
> It does not become clear from systemd documentation [0] that
> DefaultDependencies=no should be used. I also asked about this on the
> system mailing list [3], but I am still not certain I understand right.
>
> Since at least firewalld [1] and netfilter-persistent [2] have broken
> systemd dependencies (which could result in the firewalls being load too
> late), I thought a little more attention on this topic might be justified.
>
> Is there something Debian specific about the network-pre.target or other
> special systemd targets?
The problem is that network-pre doesn't have any ordering wrt to
basic.target, and thus can occur before that target is reached. This
means that any unit that tries to order before network-pre.target
needs to set DefaultDependencies=no, and list all the required
dependencies and mounts.
--
Saludos,
Felipe Sateler
More information about the Pkg-systemd-maintainers
mailing list