[systemd-devel] How to securely load a firewall before networking gets up?
Patrick Schleizer
patrick-mailinglists at whonix.org
Thu Jul 28 17:29:00 UTC 2016
TLDR:
How to securely load a firewall before networking gets up?
Can you provide a secure, recommended or even canonical example of such
a firewall.service?
Long:
Various people have come up with a different implementations and
systemd.special documentation makes me wonder if my own interpretation
would be ideal. Why not WantedBy=network-pre.target?
#####
firewalld.service (from Debian package)
[Unit]
Description=firewalld - dynamic firewall daemon
Before=network.target
Before=libvirtd.service
Before=NetworkManager.service
Conflicts=iptables.service ip6tables.service ebtables.service
[Service]
ExecStart=/usr/sbin/firewalld --nofork --nopid
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages
StandardOutput=null
StandardError=null
Type=dbus
BusName=org.fedoraproject.FirewallD1
[Install]
WantedBy=basic.target
Alias=dbus-org.fedoraproject.FirewallD1.service
#####
corridor-init-forwarding.service.in (by corridor package)
[Unit]
Description=corridor's forwarding
After=iptables.service systemd-sysctl.service
Before=network-pre.target
Wants=network-pre.target
[Service]
ExecStart=SBIN/corridor-init-forwarding
ExecStop=SBIN/corridor-stop-forwarding
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
RequiredBy=systemd-networkd.service
More information about the systemd-devel
mailing list