How to securely load a firewall before networking gets up?
Patrick Schleizer
patrick-mailinglists at whonix.org
Sat Jul 30 19:45:00 BST 2016
Felipe Sateler:
> On 30 July 2016 at 13:58, Patrick Schleizer
> <patrick-mailinglists at whonix.org> wrote:
>> How to securely load a firewall before networking gets up?
>>
>> Can you provide a secure, recommended or even canonical example of such
>> a firewall.service?
>>
>> It does not become clear from systemd documentation [0] that
>> DefaultDependencies=no should be used. I also asked about this on the
>> system mailing list [3], but I am still not certain I understand right.
>>
>> Since at least firewalld [1] and netfilter-persistent [2] have broken
>> systemd dependencies (which could result in the firewalls being load too
>> late), I thought a little more attention on this topic might be justified.
>>
>> Is there something Debian specific about the network-pre.target or other
>> special systemd targets?
>
> The problem is that network-pre doesn't have any ordering wrt to
> basic.target, and thus can occur before that target is reached. This
> means that any unit that tries to order before network-pre.target
> needs to set DefaultDependencies=no, and list all the required
> dependencies and mounts.
>
Is this Debian specific? Something that can be considered a something
that could/should be explained/reported to systemd?
More information about the Pkg-systemd-maintainers
mailing list