On Fri, Dec 1, 2023, at 06:50, You Yu Lu wrote: > What is the reason to start nftable service before networkd configured > by default? > Is this the intended behavior for nftable? Or is it fine to modify the > service unit file and change the dependency to fit different use > cases? If the firewall rules are not in place before the interfaces are configured and brought up, there will be a small window of time when the interfaces are receiving traffic but there is no protection in place. If the system in question has multiple interfaces and is responsible for forwarding traffic between them, then during this window of time traffic will be allowed to flow between those interfaces with no restrictions. If the firewall rules are then put into place but allow traffic to flow if it is part of 'established' or 'related' flows (using conntrack mechanisms), such traffic may continue to flow even if the rules would stop new flows attempting to follow the same paths.
