TLDR: How to securely load a firewall before networking gets up?
Can you provide a secure, recommended or even canonical example of such a firewall.service? Long: Various people have come up with a different implementations and systemd.special documentation makes me wonder if my own interpretation would be ideal. Why not WantedBy=network-pre.target? ##### firewalld.service (from Debian package) [Unit] Description=firewalld - dynamic firewall daemon Before=network.target Before=libvirtd.service Before=NetworkManager.service Conflicts=iptables.service ip6tables.service ebtables.service [Service] ExecStart=/usr/sbin/firewalld --nofork --nopid ExecReload=/bin/kill -HUP $MAINPID # supress to log debug and error output also to /var/log/messages StandardOutput=null StandardError=null Type=dbus BusName=org.fedoraproject.FirewallD1 [Install] WantedBy=basic.target Alias=dbus-org.fedoraproject.FirewallD1.service ##### corridor-init-forwarding.service.in (by corridor package) [Unit] Description=corridor's forwarding After=iptables.service systemd-sysctl.service Before=network-pre.target Wants=network-pre.target [Service] ExecStart=SBIN/corridor-init-forwarding ExecStop=SBIN/corridor-stop-forwarding Type=oneshot RemainAfterExit=yes [Install] WantedBy=multi-user.target RequiredBy=systemd-networkd.service _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
