I ran into this on Ubuntu, and it seems the best way to handle this is via a systemd override. I created a file /etc/systemd/system/fail2ban.service.d/override.conf with contents:
[Unit] Requires=shorewall.service After=shorewall.service This adds shorewall.service to both the Requires and After parameters, but won't be over-written when fail2ban is upgraded. I don't think this is something that should be handled in the Debian (or Ubuntu) repository, as not everyone who uses fail2ban is going to use Shorewall. The fix needs to be crafted for the particular firewall package being used. Unless you want to figure out all of the possible combinations, and make a package for each combination to insert the appropriate override file, which seems to me to be excessive. As I run a private reprepro repository for my systems, I made my own "f2b-shorewall" package, which inserts the above override file and also inserts my standard fail2ban configuration (including configuring fail2ban for shorewall) in /etc/fail2ban/jail.d/local.conf, and make my package depend on fail2ban and shorewall. That way I install f2b-shorewall, it pulls in fail2ban and shorewall, with initial configuration of fail2ban done, and configuration of shorewall needing done. I'm sure I'll be tweaking it when fail2ban 0.10 hits, and I have to deal with shorewall6 in addition. What would be helpful would be some documentation in README.Debian about this issue, suggesting use of the overrride file for filewall packages where this issue comes up. Ben -- Ben Coleman olo...@benshome.net | For the wise man, doing right trumps http://oloryn.benshome.net/ | looking right. For the fool, looking Amateur Radio NJ8J | right trumps doing right.
signature.asc
Description: OpenPGP digital signature
