Control: retitle -1 systemd ordering for firewalls Control: tags -1 help thanks
Hi, this topic is recurring for every firewall package I have seen. There are two factions, both of which having a point, and going after one solution causes breakage on the other side. If we start the firewall early, firewall building fails when the firewall building needs the network, for example when the firewall admin writes hostnames in their firewall config (which I consider a not-so-goodidea) or when the ruleset takes IP addresses and routes as input for rule building. Starting the firewall late will leave the host unprotected for a possibly two-digit number of seconds, up to "indefinetely" when the boot process stalls. There is also an issue with service dependencies (see #1137531, where a cyclic dependency with NetworkManager was reported). This probably needs an avalanche of coordination and testing to finally fix. Moritz writes: > Split into two services, e.g. ferm-base.service loading a base rule > set which runs on network-pre.target and ferm-extended.service which > runs on nss-lookup.target or network.target This might be a solution. Would somebody help with the necessary dependencies of the units? In the current version, ferm stars early again, which will break setups needing the network on initialization. I am actually planning myself to migrate away from ferm and to give nft another try, so I am kind of relutcant to implement a two-stage init at the current point. I definetely need help with the systemd dependencies, especially with the different kinds of network initialization stacks. My idea would be to augment the regular firewall set /etc/ferm/ferm.conf with /etc/ferm/ferm.d as include directory with a second set /etc/ferm/ferm-early.conf and /etc/ferm/ferm-early.d, documenting the fact that ferm-early can't rely on the network being functional. This can probably be done easily enough, but I don't have time to test the service dependency hell. Greetings Marc
