There's a bug in qubes-firewall.service. It should pull in and be ordered before network-pre.target such that the firewall rules are guaranteed to be in place before the network is raised.
>From man sytemd.special, network-pre.target This passive target unit may be pulled in by services that want to run before any network is set up, for example for the purpose of setting up a firewall. All network management software orders itself after this target, but does not pull it in. >From https://systemd.io/NETWORK_ONLINE/ network-pre.target is used to order services before any network interfaces start to be configured. Its primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up. Services that want to be run before the network is configured should use Before=network-pre.target and Wants=network-pre.target. I suggest applying this change so that people who are currently relying on this popular guide https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061 can continue to do so without having to make modifications to systemd themselves. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/4VwEmFFzxjyKyBoWNQLECC4Jn6HGpO8FNja-SLsEgwJlfynEmF1ARKV1XMrzC6ie4vD27aFr-nYQCuw7u7o79OyTrXChSO4gsrcSXlGOFkw%3D%40proton.me.
