Package: ferm
Version: 2.7-3
Severity: grave
Dear maintainers,
The systemd unit introduced in 2.7-3 (without a NEWS.Debian) fails
to load the firewall at boot, leaving INPUT at default-ACCEPT.
Two causes:
1. Ordering cycle: the unit sets "After=network.target" together with
"Before=network-pre.target". With NetworkManager (network-pre -> NM ->
network.target) this is cyclic; systemd breaks it non-deterministically
and probably may skip ferm entirely.
ferm.service: Found ordering cycle: NetworkManager.service after
network-pre.target after ferm.service after network.target ...
2. ProtectSystem=strict makes /run read-only in the unit's namespace, but
ReadWritePaths lists only /var/cache/ferm, so iptables-legacy cannot
create /run/xtables.lock:
Fatal: can't open lock file /run/xtables.lock: Read-only file system
ferm.service: Main process exited, code=exited, status=4/NOPERMISSION
Fails deterministically every boot on the legacy backend.
Fix for (1): drop "After=network.target" (a firewall belongs before the
network, Before=network-pre.target is correct).
Fix for (2): add /run to ReadWritePaths.
Secondary: the unit drops CAP_SYS_MODULE, so ferm can no longer modprobe
netfilter modules itself ("modprobe: ... ip6_tables: Operation not
permitted"). It should ship a modules-load.d snippet for the core modules.
Petr
