Your message dated Mon, 25 May 2026 17:03:56 +0000
with message-id <[email protected]>
and subject line Bug#1137558: fixed in ferm 2.7-4
has caused the Debian Bug report #1137558,
regarding ProtectSystem=strict fixes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1137558: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1137558
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ferm
Version: 2.7-3
Severity: grave
Dear maintainers,
The systemd unit introduced in 2.7-3 (without a NEWS.Debian) fails
to load the firewall at boot, leaving INPUT at default-ACCEPT.
Two causes:
1. Ordering cycle: the unit sets "After=network.target" together with
"Before=network-pre.target". With NetworkManager (network-pre -> NM ->
network.target) this is cyclic; systemd breaks it non-deterministically
and probably may skip ferm entirely.
ferm.service: Found ordering cycle: NetworkManager.service after
network-pre.target after ferm.service after network.target ...
2. ProtectSystem=strict makes /run read-only in the unit's namespace, but
ReadWritePaths lists only /var/cache/ferm, so iptables-legacy cannot
create /run/xtables.lock:
Fatal: can't open lock file /run/xtables.lock: Read-only file system
ferm.service: Main process exited, code=exited, status=4/NOPERMISSION
Fails deterministically every boot on the legacy backend.
Fix for (1): drop "After=network.target" (a firewall belongs before the
network, Before=network-pre.target is correct).
Fix for (2): add /run to ReadWritePaths.
Secondary: the unit drops CAP_SYS_MODULE, so ferm can no longer modprobe
netfilter modules itself ("modprobe: ... ip6_tables: Operation not
permitted"). It should ship a modules-load.d snippet for the core modules.
Petr
--- End Message ---
--- Begin Message ---
Source: ferm
Source-Version: 2.7-4
Done: Marc Haber <[email protected]>
We believe that the bug you reported is fixed in the latest version of
ferm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Haber <[email protected]> (supplier of updated ferm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 25 May 2026 12:58:03 +0200
Source: ferm
Architecture: source
Version: 2.7-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Ferm Maintainers <[email protected]>
Changed-By: Marc Haber <[email protected]>
Closes: 1137531 1137558
Changes:
ferm (2.7-4) unstable; urgency=medium
.
* fix RC bugs in ferm.service:
* add /run to ReadWritePaths
Thanks to Petr Gajdůšek (Closes: #1137558)
* add CAP_SYS_MODULE to CapabilityBoundingSet.
Thanks to Petr Gajdůšek (Closes: #1137558)
* remove After=network.target from ferm.
Thanks to Petr Gajdůšek (Closes: #1137531)
Checksums-Sha1:
5f80a462de2ba506f8aa7ce6f531d56e9535233e 2005 ferm_2.7-4.dsc
d7642ff4239007159e5dd264083d71a9b57e43bc 21728 ferm_2.7-4.debian.tar.xz
43a23c1a07cdf22ad582e98980fc2b49b6b42023 5470 ferm_2.7-4_source.buildinfo
Checksums-Sha256:
719debcd65c3e23d9e477939148d9e28bfb6691d973dd2582e9c814c1b4b1dc0 2005
ferm_2.7-4.dsc
c36ffb3498cb9ddc2335cda9a6333a91ab84bda9d0c84025061f1e42491222c7 21728
ferm_2.7-4.debian.tar.xz
347b6339fccf66836efdd6e5de7b10a4da849dd4a24389c722c2cdcd8c9eb1eb 5470
ferm_2.7-4_source.buildinfo
Files:
44c9065a7f35829220b7cc788f47f81b 2005 net optional ferm_2.7-4.dsc
4e293cdd07f8e0543e5f93cfa199cd5f 21728 net optional ferm_2.7-4.debian.tar.xz
f4ed1d95be0889b14a6303e864835eda 5470 net optional ferm_2.7-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6QL5UJ/L0pcuNEbjj3cgEwEyBEIFAmoUexUACgkQj3cgEwEy
BELExg/7Bmy3MGg2XUfpTnEBMGIsxZXbruWyzIN0mzIR68Pr0vplksp9vWRqyKdG
Wbpi/1SqM/e3ToTM8cgKnJYr0iS0VDpT4yyrWtHlMNoykVpbfWirfgZoPC0C8dH1
++AN6kEyEv6tFdH1/Afd9keFIBTv0nyLuqUK2z6poC29IjfCGjVUGcKadlE8K4oh
ZEHU52MUgiWD3ItwVpSHcYDqAd8BO0FmjQCMr0my7873okKOhwwq2YVsSCUsQ/od
ZuV7auDA8ohNtuoMmK2TllpDp+DLTsJ5MddUEC8RvotlWK2z9N3WW6sbrJLXdnoq
z6qBKYpdqZ9nwUUT7aGMr7lT5l53IN3vv6ZmWPq78sC/V/TtjoS+6RucmTIZIKuw
9y7UVbcQdWaZIRgyIFX2VE9nLFo1kao4uXtlP/bO1uBbGQ9qVHHQrQhcmdD2KgIm
v43aQrISgezC0NGAROjCr8rAcAN2utj1Mi/ZMqrXvWR/qt/tp6D4UYUG1jwCi0o9
4J4UTRUYOHy+mxG93fqe7tgQUPdqqeIUnsvAyAjiLw6TbE4B4N8X+ip8oyhSGfCG
GSvpgCYEo30RSKWn0G8ND86RN5plRYvLJeHleIKw7RLzo5z5uhjonzs997OPr0qf
C2D2kG0OlX7VPePgGwznm7N82f4o9Fow0yq4NddPD8jx8BnJxgc=
=vtLC
-----END PGP SIGNATURE-----
pgpHzFWS6vjfZ.pgp
Description: PGP signature
--- End Message ---
