[systemd-devel] How to securely load a firewall before networking gets up?
TLDR: How to securely load a firewall before networking gets up? Can you provide a secure, recommended or even canonical example of such a firewall.service? Long: Various people have come up with a different implementations and systemd.special documentation makes me wonder if my own interpretation would be ideal. Why not WantedBy=network-pre.target? # firewalld.service (from Debian package) [Unit] Description=firewalld - dynamic firewall daemon Before=network.target Before=libvirtd.service Before=NetworkManager.service Conflicts=iptables.service ip6tables.service ebtables.service [Service] ExecStart=/usr/sbin/firewalld --nofork --nopid ExecReload=/bin/kill -HUP $MAINPID # supress to log debug and error output also to /var/log/messages StandardOutput=null StandardError=null Type=dbus BusName=org.fedoraproject.FirewallD1 [Install] WantedBy=basic.target Alias=dbus-org.fedoraproject.FirewallD1.service # corridor-init-forwarding.service.in (by corridor package) [Unit] Description=corridor's forwarding After=iptables.service systemd-sysctl.service Before=network-pre.target Wants=network-pre.target [Service] ExecStart=SBIN/corridor-init-forwarding ExecStop=SBIN/corridor-stop-forwarding Type=oneshot RemainAfterExit=yes [Install] WantedBy=multi-user.target RequiredBy=systemd-networkd.service ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] How to securely load a firewall before networking gets up?
On Thu, 28.07.16 17:29, Patrick Schleizer (patrick-mailingli...@whonix.org) wrote: > TLDR: > > How to securely load a firewall before networking gets up? > > Can you provide a secure, recommended or even canonical example of such > a firewall.service? See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ > [Unit] > Description=firewalld - dynamic firewall daemon > Before=network.target This is pointless and really doesn't do what the author of this file might think it does. > [Service] > ExecStart=/usr/sbin/firewalld --nofork --nopid > ExecReload=/bin/kill -HUP $MAINPID > # supress to log debug and error output also to /var/log/messages > StandardOutput=null > StandardError=null > Type=dbus > BusName=org.fedoraproject.FirewallD1 > > [Install] > WantedBy=basic.target This is actively broken. A unit that hooks into basic.target *must* set DefaultDependencies=no, otherwise this will result in a cyclic dependency. > [Unit] > Description=corridor's forwarding > After=iptables.service systemd-sysctl.service > Before=network-pre.target > Wants=network-pre.target This is correct. > > [Service] > ExecStart=SBIN/corridor-init-forwarding > ExecStop=SBIN/corridor-stop-forwarding The "SBIN/" doesn't look right. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] How to securely load a firewall before networking gets up?
Thank you! I forwarded your review in form of bug reports to the affected projects. [1] [2] Lennart Poettering: > On Thu, 28.07.16 17:29, Patrick Schleizer (patrick-mailingli...@whonix.org) > wrote: > >> TLDR: >> >> How to securely load a firewall before networking gets up? >> >> Can you provide a secure, recommended or even canonical example of such >> a firewall.service? > > See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ With all due respect, I do not think this is a case of read the manual here. I did read that also before posting this question. I am sure also rustybird, the author of the second systemd unit file I posted in this subject, also read that before. As rustybird (who also once submitted a systemd patch wrt network-pre.target) pointed out, the author of netfilter-persistent also got it wrong. [1] Having explained this, I would like to reiterate my my request... Can you provide a secure, recommended or even canonical example of such a firewall.service? Cheers, Patrick [1] https://github.com/rustybird/corridor/issues/29 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832911 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel