How to securely load a firewall before networking gets up?
Felipe Sateler
fsateler at gmail.com
Sat Jul 30 21:22:20 BST 2016
On 30 Jul 2016 2:46 p.m., "Patrick Schleizer" <
patrick-mailinglists at whonix.org> wrote:
>
> Felipe Sateler:
> > On 30 July 2016 at 13:58, Patrick Schleizer
> > <patrick-mailinglists at whonix.org> wrote:
> >> How to securely load a firewall before networking gets up?
> >>
> >> Can you provide a secure, recommended or even canonical example of such
> >> a firewall.service?
> >>
> >> It does not become clear from systemd documentation [0] that
> >> DefaultDependencies=no should be used. I also asked about this on the
> >> system mailing list [3], but I am still not certain I understand right.
> >>
> >> Since at least firewalld [1] and netfilter-persistent [2] have broken
> >> systemd dependencies (which could result in the firewalls being load
too
> >> late), I thought a little more attention on this topic might be
justified.
> >>
> >> Is there something Debian specific about the network-pre.target or
other
> >> special systemd targets?
> >
> > The problem is that network-pre doesn't have any ordering wrt to
> > basic.target, and thus can occur before that target is reached. This
> > means that any unit that tries to order before network-pre.target
> > needs to set DefaultDependencies=no, and list all the required
> > dependencies and mounts.
> >
>
> Is this Debian specific? Something that can be considered a something
> that could/should be explained/reported to systemd?
This is not debian specific. Network might be required to mount /var, so if
firewalls should start before the network then they should be prepared to
start relatively early during boot.
>
> _______________________________________________
> Pkg-systemd-maintainers mailing list
> Pkg-systemd-maintainers at lists.alioth.debian.org
>
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20160730/c8369d01/attachment-0002.html>
More information about the Pkg-systemd-maintainers
mailing list