FS#33477 - [ufw] should be started as early as possible
Attached to Project:
Community Packages
Opened by Pierre Buard (Gilrain) - Sunday, 20 January 2013, 16:59 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Wednesday, 23 January 2013, 20:57 GMT
Opened by Pierre Buard (Gilrain) - Sunday, 20 January 2013, 16:59 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Wednesday, 23 January 2013, 20:57 GMT
|
Details
To insure the firewall rules are setup before any sockets
are made available, it must be started before
sysinit.target.
Please add the following line to the [Unit] section of the service file: Before=sysinit.target Additional info: * ufw 0.33-1 * systemd bug report establishing the new guideline: <https://bugs.freedesktop.org/show_bug.cgi?id=57773#c2> |
This task depends upon
Closed by Bartłomiej Piotrowski (Barthalion)
Wednesday, 23 January 2013, 20:57 GMT
Reason for closing: Fixed
Additional comments about closing: ufw 0.33-2
Wednesday, 23 January 2013, 20:57 GMT
Reason for closing: Fixed
Additional comments about closing: ufw 0.33-2
% status ufw
ufw.service - CLI Netfilter Manager
Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled)
Active: inactive (dead)
Jan 22 09:14:18 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:18 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:19 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:19 reborn systemd[1]: Started CLI Netfilter Manager.
Jan 22 10:08:33 reborn systemd[1]: Stopping CLI Netfilter Manager...
Jan 22 10:08:33 reborn systemd[1]: Stopped CLI Netfilter Manager.
Jan 22 10:12:09 reborn systemd[1]: Stopped CLI Netfilter Manager.
Jan 22 10:12:15 reborn systemd[1]: Starting CLI Netfilter Manager...
Jan 22 10:12:16 reborn systemd[1]: Started CLI Netfilter Manager.
Jan 22 10:14:28 reborn systemd[1]: Job ufw.service/stop deleted to break ordering cycle starting with sysinit.target/stop
First "DefaultDependencies" must be set to "no" (I assume that's what was implied by "make your fw services an early-boot service"). Otherwise the service does not start as stated by John.
Since we launch in a very basic environment, we must make sure that all the components of UFW are available. Hence "ConditionPathExists=|/etc/ufw/ufw.conf" and "ConditionDirectoryNotEmpty=|/usr/lib/ufw". I'm not sure but I think it would be overkill to check for iptables executables and what not.
Finally, "After=systemd-sysctl.service" was added because UFW changes some kernel parameters and it would be bad if they were overwritten by sysctl.
With this treatment, UFW starts and works as expected.