On 30 Jul 2016 2:46 p.m., "Patrick Schleizer" < [email protected]> wrote: > > Felipe Sateler: > > On 30 July 2016 at 13:58, Patrick Schleizer > > <[email protected]> wrote: > >> How to securely load a firewall before networking gets up? > >> > >> Can you provide a secure, recommended or even canonical example of such > >> a firewall.service? > >> > >> It does not become clear from systemd documentation [0] that > >> DefaultDependencies=no should be used. I also asked about this on the > >> system mailing list [3], but I am still not certain I understand right. > >> > >> Since at least firewalld [1] and netfilter-persistent [2] have broken > >> systemd dependencies (which could result in the firewalls being load too > >> late), I thought a little more attention on this topic might be justified. > >> > >> Is there something Debian specific about the network-pre.target or other > >> special systemd targets? > > > > The problem is that network-pre doesn't have any ordering wrt to > > basic.target, and thus can occur before that target is reached. This > > means that any unit that tries to order before network-pre.target > > needs to set DefaultDependencies=no, and list all the required > > dependencies and mounts. > > > > Is this Debian specific? Something that can be considered a something > that could/should be explained/reported to systemd?
This is not debian specific. Network might be required to mount /var, so if firewalls should start before the network then they should be prepared to start relatively early during boot. > > _______________________________________________ > Pkg-systemd-maintainers mailing list > [email protected] > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
_______________________________________________ Pkg-systemd-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
