[systemd-devel] How to securely load a firewall before networking gets up?

Lennart Poettering lennart at poettering.net
Fri Jul 29 09:49:25 UTC 2016

On Thu, 28.07.16 17:29, Patrick Schleizer (patrick-mailinglists at whonix.org) wrote:

> How to securely load a firewall before networking gets up?
> Can you provide a secure, recommended or even canonical example of such
> a firewall.service?

See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

> [Unit]
> Description=firewalld - dynamic firewall daemon
> Before=network.target

This is pointless and really doesn't do what the author of this file
might think it does.

> [Service]
> ExecStart=/usr/sbin/firewalld --nofork --nopid
> ExecReload=/bin/kill -HUP $MAINPID
> # supress to log debug and error output also to /var/log/messages
> StandardOutput=null
> StandardError=null
> Type=dbus
> BusName=org.fedoraproject.FirewallD1
> [Install]
> WantedBy=basic.target

This is actively broken. A unit that hooks into basic.target *must*
set DefaultDependencies=no, otherwise this will result in a cyclic

> [Unit]
> Description=corridor's forwarding
> After=iptables.service systemd-sysctl.service
> Before=network-pre.target
> Wants=network-pre.target

This is correct.
> [Service]
> ExecStart=SBIN/corridor-init-forwarding
> ExecStop=SBIN/corridor-stop-forwarding

The "SBIN/" doesn't look right.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list