I think the problem with starting up is probably has something to do with dhclient.
Log from dhclient Feb 24 16:06:08 kevsrv dhclient: Listening on LPF/eth0/60:a4:4c:b2:b1:a0 Feb 24 16:06:08 kevsrv dhclient: Sending on LPF/eth0/60:a4:4c:b2:b1:a0 Feb 24 16:06:08 kevsrv dhclient: Sending on Socket/fallback Feb 24 16:06:08 kevsrv dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6 Feb 24 16:06:14 kevsrv dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15 Feb 24 16:06:14 kevsrv dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Feb 24 16:06:14 kevsrv dhclient: DHCPOFFER from 192.168.1.1 Feb 24 16:06:14 kevsrv dhclient: DHCPACK from 192.168.1.1 Feb 24 16:06:14 kevsrv dhclient: bound to 192.168.1.2 -- renewal in 37878 seconds. Log from shorewall-init Feb 24 16:06:09 Creating iptables-restore input... Feb 24 16:06:09 Shorewall configuration compiled to /var/lib/shorewall/.start Feb 24 16:06:09 Starting Shorewall.... Feb 24 16:06:09 ERROR: Unable to detect the gateway through interface eth0 Feb 24 16:06:09 ERROR:Shorewall start failed:Firewall state not changed So it seems like shorewall starts just slightly after dhclient is initialized, and it failed before dhclient managed to retrieve a lease. My current workaround is switching to use static addressing for eth0 AND adding shorewall.service file from upstream (even if I use static address, it does not work with LSB scripts)
