On Tue, Jun 09, 2026 at 02:31:32AM +0000, David Härdeman wrote: > I've played around with this and I've come up with this:
Thank you. > [Unit] > Description=Early firewall configuration with ferm > Documentation=man:ferm(1) > Before=network-pre.target > Wants=network-pre.target > After=local-fs.target > ConditionFileIsExecutable=/usr/sbin/ferm > ConditionPathExists=/etc/ferm/ferm.conf I am not sure whether After=local-fs.target is needed. According to bootup(7) that comes _before_ sysinit.target and all services depend on that. I think that is redundant. > ExecStart=-/bin/sh -c '/usr/libexec/ferm/ferm-systemd activate && touch > /run/ferm-early-success' Is that any different than having the touch in an ExecStartPost? > And, more importantly: > ExecStart=-/bin/sh -c '/usr/libexec/ferm/ferm-systemd activate && touch > /run/ferm-early-success' > > The "=-" means this will be a best-effort attempt and won't > error out on failure (like if hostnames have been used in the > ferm scripts, not something I'd endorse, but I know there's > people who have different opinions). So you would recommend to use the same rule set and just come up with the rule set in some degraded form if it needs network? > # /usr/lib/systemd/system/ferm.service > [Unit] > Description=Firewall configuration with ferm > Documentation=man:ferm(1) > After=network-online.target nss-lookup.target > Wants=network-online.target > ConditionFileIsExecutable=/usr/sbin/ferm > ConditionPathExists=/etc/ferm/ferm.conf I think that nss-lookup.target is important here, yes. Thanks. > # Execute wrapper > ExecCondition=/bin/sh -c 'if [ -f /run/ferm-early-success ]; then rm -f > /run/ferm-early-success; exit 1; else exit 0; fi' What is the rationale behind this? > Rationale: > ferm.service is the *real* service that'll run unless ferm-early.service > succeeded. It'll run at a point where the network is up and nss-lookup > is finished. It'll only run if ferm-early.service failed, and do another > attempt. If it fails, that'll be a hard fail in the output from e.g. > "systemctl status". ferm-early.service errors will be ignored. > > Also, this ensures that people who are used to "ferm.service" being the > "real" service can do things like "systemctl restart ferm.service" long > after the system has booted, and it'll do the right thing. > > Finally, it removes the need for separate "early" and "late" ferm scripts. > Instead, we do a best-effort early firewall setup (will work for ferm > configurations without hostnames), and then an optional second pass > (where DNS should be available). Will ferm still establish a filter when a name lookup fails? I THINK it may error out itself and not establish anything? My gut feeling prefers a real two-step approach with two distinct rule sets. Greetings Marc
