[systemd-devel] How to securely load a firewall before networking gets up?
Lennart Poettering
lennart at poettering.net
Fri Jul 29 09:49:25 UTC 2016
On Thu, 28.07.16 17:29, Patrick Schleizer (patrick-mailinglists at whonix.org) wrote:
> TLDR:
>
> How to securely load a firewall before networking gets up?
>
> Can you provide a secure, recommended or even canonical example of such
> a firewall.service?
See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
> [Unit]
> Description=firewalld - dynamic firewall daemon
> Before=network.target
This is pointless and really doesn't do what the author of this file
might think it does.
> [Service]
> ExecStart=/usr/sbin/firewalld --nofork --nopid
> ExecReload=/bin/kill -HUP $MAINPID
> # supress to log debug and error output also to /var/log/messages
> StandardOutput=null
> StandardError=null
> Type=dbus
> BusName=org.fedoraproject.FirewallD1
>
> [Install]
> WantedBy=basic.target
This is actively broken. A unit that hooks into basic.target *must*
set DefaultDependencies=no, otherwise this will result in a cyclic
dependency.
> [Unit]
> Description=corridor's forwarding
> After=iptables.service systemd-sysctl.service
> Before=network-pre.target
> Wants=network-pre.target
This is correct.
>
> [Service]
> ExecStart=SBIN/corridor-init-forwarding
> ExecStop=SBIN/corridor-stop-forwarding
The "SBIN/" doesn't look right.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list