> Then it is not reproducible, i.e. not a bug, so unman is right. Firstly, I said I didn't attempt to capture it, not that it isn't reproducible. Secondly, not reproducible implies not a bug? Absurd claim. What are you talking about?
> Compare what you quoted to the reference: > Exactly what I tried to explain too. My explanation of why you misunderstood the reference is **exactly** the same as what Marek explained. Your initial explanation was relying purely on systemd ordering semantics, not the key detail that Marek added about forwarding. > Adding Before=network-pre.target to qubes-firewall may work, > but as explained in my response, it isn't really necessary. Note also > that qubes-firewall is only about configuring firewall for forwarded > traffic. Base firewall for the qube itself (input rules etc) is set in > qubes-iptables.service and that has Before=network-pre.target. I admit my initial concern is no longer valid, but I think it still make sense to put these rules before network-pre.target. These rules are commonly used for things other than forwarding. Look at the VPN guide I linked, they use these rules to only allow vpn-process traffic out eth0. If the rules are only related to forwarding then at the very least the name of the script and/or a comment within should include this. On Sunday, March 23rd, 2025 at 6:40 AM, skiinglasso2 <skiinglas...@proton.me> wrote: > There's a bug in qubes-firewall.service. It should pull in and be ordered > before network-pre.target such that the firewall rules are guaranteed to be > in place before the network is raised. > > From man sytemd.special, > network-pre.target > This passive target unit may be pulled in by services that want to > run before any network is set up, for example for the purpose of > setting up a firewall. All network management software orders > itself after this target, but does not pull it in. > > From https://systemd.io/NETWORK_ONLINE/ > network-pre.target is used to order services before any network interfaces > start to be configured. Its primary purpose is for usage with firewall > services that want to establish a firewall before any network interface is > up. Services that want to be run before the network is configured should use > Before=network-pre.target and Wants=network-pre.target. > > I suggest applying this change so that people who are currently relying on > this popular guide > https://forum.qubes-os.org/t/configuring-a-proxyvm-vpn-gateway/19061 can > continue to do so without having to make modifications to systemd themselves. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/hCwz_3A1JTi9QTcxRD4mjdrz2KMUYITuTBOfBT9RwFv6QR2h6eHWSDrn_x8tKPHh02ExGDV5emv_h8FbbtWC9e0RB_4SAAqerXK2binOKO8%3D%40proton.me.
