As I have posted the problem in the forum first I had the following reply ---------------------------------------- I have exactly the same problem. Also in my case, upgrade to 15.10 did not help. Searching the Internet for workarounds did not help either (except that this thread and a Debian bug report showed up). So I came up with my own workaround.
Shorewall does not come with a systemd native service unit description. Such description is being generated at boot by /lib/systemd/system- generators/systemd-sysv-generator based on /etc/init.d/shorewall. I have noticed, however, that the LSB header of /etc/init.d/shorewall wants the service to be started from /etc/rcS.d, which is pretty early, and at the same time it has Required-Start: $network $remote_fs, which is a pretty strong requirement. In fact, this is the only script in /etc/rcS.d that requires $network (well, except shorewall6, which exhibits exactly the same problem). Looking into the auto-generated unit in /run/systemd/generator.late/shorewall.service shows: DefaultDependencies=no Before=sysinit.target shutdown.target After=network-online.target remote-fs.target Wants=network-online.target Conflicts=shutdown.target This looks problematic: sysinit.target is a very early target, most higher level services are started after it, and on many systems (including mine) various dependencies will make network-online.target available only after sysinit.target. So in the end, I wrote my own shorewall.service definition and put it in /etc/systemd/system to override the auto-generated one: [Unit] Documentation=man:shorewall Description=Configure the IPv4 firewall at boot time DefaultDependencies=no After=local-fs.target systemd-sysctl.service Before=network-pre.target shutdown.target Wants=network-pre.target Conflicts=shutdown.target [Service] Type=oneshot RemainAfterExit=yes TimeoutSec=30 Restart=no IgnoreSIGPIPE=no KillMode=none ExecStart=/etc/init.d/shorewall start ExecStop=/etc/init.d/shorewall stop ExecReload=/etc/init.d/shorewall restart [Install] WantedBy=network-online.target After that, the service is installed by: $ sudo systemctl enable shorewall.service This works for me, but I had very specific requirement: for security reasons, I wanted my firewall be up before any network interfaces are up. That means that no remote filesystems will be mounted yet when shorewall start runs and all shorewall config files have to be on a local filesystem. Additionally, /etc/default/shorewall does not define any wait_interfaces. -------------------------------------------------------------------- -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1511869 Title: shorewall does not start at boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shorewall/+bug/1511869/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
