Package: sshguard Version: 1.7.1-1 On systems with ufw (uncomplicated firewall, a popular firewall manager/frontend) *and* sshguard installed, a race condition exists between sshguard's firewall setup script and ufw.
As I understand it, ufw calls iptables-restore on multiple files on startup to create and populate its various chains. If, during one of those calls, /usr/lib/sshguard/firewall is called to add the sshguard chain, the iptable-restore call fails and ufw cracks open. This has bitten me a few times, leaving remote boxes unreachable over the network after a reboot since ufw was unable to restore all of its rules. sshguard's systemd service file seems to have an After= directive which should prevent this, as ufw specifies a Before=network.target directive. [Unit] Description=SSHGuard Documentation=man:sshguard(8) After=network.service Before=sshd.service Since none of my Debian systems have a network.service file, I tried changing "After=network.service" to "After=network.target", which did the trick: sshguard is now started well after ufw, and after tens of reboots I haven't seen the issue come up again. Given my limited systemd knowledge, this may or may not be the best fix, but I believe something along these lines should be changed and a new package published. This is on Debian 9.6 (latest at the time of this writing), all packages up to date. Cheers, -Simon -- -- Simon Vetter Embedded Software Engineer - EDF store & forecast Phone: +33 7 83 40 26 11
