On Mon, Nov 15, 2010 at 7:05 AM, Ludwig Nussel <ludwig.nus...@suse.de> wrote: > Lennart Poettering wrote: >> On Thu, 11.11.10 14:06, Andreas Jaeger (a...@novell.com) wrote: >> > On Thursday 11 November 2010 12:50:44 Kay Sievers wrote: >> > > [...] >> > > > Anyway, the point of this was only to have getty start late(ish) in >> > > > the boot process, after most of the other services that are pulled in >> > > > by multi-user.target. Maybe there is a better way to specify this, if >> > > > not everyone has rc.local? >> > > >> > > Yeah, others asked for that too. So far, we don't really have a >> > > concept of 'late' or 'last' in systemd. >> > >> > Yes, we had this in openSUSE as well the $ALL target to have the firewall >> > called at the end so that it could handle services with dynamic ports. >> > For details see https://bugzilla.novell.com/show_bug.cgi?id=652608 >> >> Can't say I like this approach to firewalls. Matching against ports is a >> thing of the past. They firewall people should match against processes, >> that's the only remotely sensible thing and then all of this would not >> be necessary. > > You lost me here. > >> I am really not a big fan of Suse's $ALL extension. > > Making SuSEfirewall2 run last via $ALL mostly is a boot speed > optimization. The filtering rules (potentially) need to be adjusted > each time a network interface appears or if an RPC service like > ypbind or nfsd changes ports. SuSEfirewall2 can't do either > operation incrementally (yet). So if it's known beforehand that an > event would cause several SuSEfirewall2 calls it's better to block > all calls and only do one full run at the end. That's the case > during boot and when calling rcnetwork restart.
well, this is bit moot then, as you can make it After=whatever-may-change-ports, or add those services with Before=SuSEfirewall2.service -- Gustavo Sverzut Barbieri http://profusion.mobi embedded systems -------------------------------------- MSN: barbi...@gmail.com Skype: gsbarbieri Mobile: +55 (19) 9225-2202 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel