On 10/19/19 10:18 AM, Paul Dreik wrote: > Source: nftables > Version: 0.7-1 > Severity: wishlist > > In case nftables has trouble starting, the result is a system with no rules at > all, resulting in everything allowed. This is surprising (for me), since the > entire point of having a firewall (for me) is to restrict access. > > This is how I setup my system (following https://wiki.debian.org/nftables): > - new installed of stretch system > - install nftables > - modify /etc/nftables.conf > - enable and start the nftables service > - verify that network traffic is blocked correctly > - fine, all good! > > The surprise came after the next reboot. I found entries in my mail log > indicating people trying to connect, which were supposed to be blocked. I > found > that the service was not running, because of trouble starting. The problem was > that I used a host name instead of ip address, and name resolution had a > temporary failure so the service failed. I suspect it runs early in the boot, > while the network is not fully configured yet. But my exact cause of the > problem is unimportant - I believe there are other reasons nftables could > refuse to start. > > I wonder if it would be possible to have some kind of fallback for this kind > of > situation. > - the service retries again, if it fails to start the first time > - default "block all" rules are applied > > The first option would potentially leave the network open for some time. > The second option would potentially lock people out from > administration/updates > causing the system to be unreachable. > > I "solved it" by adding a crontab job checking if the service was not running > ("service nftables status") and started it. > > This bug report is a request for comments - could something be written on the > Debian wiki? What is the recommended way of handling the situation? Could the > Debian systemd service file be modified such that it retries by default? >
I have 2 comments: * there is a risk in using DNS names to configure your firewall. The risk is exactly what you experimented: what if DNS resolution fails? Then firewall would not load, of course. My suggestion at this point is to avoid using DNS names. * if you want systemd to keep restarting the service, you can configure your unit .service file with something like 'Restart=always' (see systemd.service(5)). This has nothing to do with nftables specifically. That is a local config you can do to any systemd service in any machine. Hope this helps clarify your question. Closing bug now.
