On 30 July 2016 at 13:58, Patrick Schleizer <[email protected]> wrote: > How to securely load a firewall before networking gets up? > > Can you provide a secure, recommended or even canonical example of such > a firewall.service? > > It does not become clear from systemd documentation [0] that > DefaultDependencies=no should be used. I also asked about this on the > system mailing list [3], but I am still not certain I understand right. > > Since at least firewalld [1] and netfilter-persistent [2] have broken > systemd dependencies (which could result in the firewalls being load too > late), I thought a little more attention on this topic might be justified. > > Is there something Debian specific about the network-pre.target or other > special systemd targets?
The problem is that network-pre doesn't have any ordering wrt to basic.target, and thus can occur before that target is reached. This means that any unit that tries to order before network-pre.target needs to set DefaultDependencies=no, and list all the required dependencies and mounts. -- Saludos, Felipe Sateler _______________________________________________ Pkg-systemd-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
