On Sun, Mar 16, 2025 at 08:32:45PM +0100, Philippe Cerfon wrote: > Hey. > > I have two scenarios where I'm not quite sure whether I understand > things correctly. > > > 1) I'd like to start a firewall service *before* networking is brought up. > My understanding was hat this would best be done in the > firewall.service unit by e.g. > [Unit] > Before=network-pre.target > [Install] > RequiredBy=network-pre.target > > > network-online.target is After= network.target is After=, which is > After= network-pre.target, thus when the firewall is Before= that, it > should be secured that it runs first, right? > > And to ensure that the firewall service is started at all, the RequiredBy. > > But then, what does even start network-pre.target? It doesn't seem to > be Wanted= or Required= by e.g. network.target, > > firewalld.service seems to use: > [Unit] > Before=network-pre.target > Wants=network-pre.target > which causes network-pre.target to be started (if it's starte itself), > but feels a bit strange. I'd rather have expected that something (e.g. > NetworkManager) pulls in, network-online.target, that network.target > and that network-pre.target. > > But in any case, the idea is that firewall services should run Before= > network-pre.target, right? > > 1a) Is it easy possible to prevent the network from being brought up > altogether, when the firewall service fails (e.g. because of a typo in > the rules)? > > I'd have hope to get that done with the: > [Install] > RequiredBy=network-pre.target > in the firewall service unit, but since e.g.: > NetworkManager.service only: > [Unit] > Wants=network.target > After=network-pre.target dbus.service > Before=network.target > which doesn't even Want= (or Require= network-pre.target), neither > would network.target ... that probably doesn't work. NetworkManager *should* Require= network-pre.target. That it does not is arguably a security vulnerability: if firewalld does not start, NetworkManager must not start either. > Same goes for systemd-networkd.service or Debian ifupdown's networking.service. > All "only" Want= network.target and have only After= network-pre.target. > > I guess the simplest way to get that behaviour would be to add either: > - a foo.requires/firewall.service for foo being everything that brings > up the network > - or a RequiredBy=NetworkManager.service ... > in firewall.service > ? > But the downside with that is, that one really needs to maintain the list. The way you propose above is the logical and fail-closed way to do things. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
signature.asc
Description: PGP signature
