On Thu, 28.07.16 17:29, Patrick Schleizer (patrick-mailingli...@whonix.org) wrote:
> TLDR: > > How to securely load a firewall before networking gets up? > > Can you provide a secure, recommended or even canonical example of such > a firewall.service? See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ > [Unit] > Description=firewalld - dynamic firewall daemon > Before=network.target This is pointless and really doesn't do what the author of this file might think it does. > [Service] > ExecStart=/usr/sbin/firewalld --nofork --nopid > ExecReload=/bin/kill -HUP $MAINPID > # supress to log debug and error output also to /var/log/messages > StandardOutput=null > StandardError=null > Type=dbus > BusName=org.fedoraproject.FirewallD1 > > [Install] > WantedBy=basic.target This is actively broken. A unit that hooks into basic.target *must* set DefaultDependencies=no, otherwise this will result in a cyclic dependency. > [Unit] > Description=corridor's forwarding > After=iptables.service systemd-sysctl.service > Before=network-pre.target > Wants=network-pre.target This is correct. > > [Service] > ExecStart=SBIN/corridor-init-forwarding > ExecStop=SBIN/corridor-stop-forwarding The "SBIN/" doesn't look right. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel