Control: severity -1 important thanks On Wed, May 27, 2026 at 08:19:02AM +0200, Marc Haber wrote: > My idea would be to augment the regular firewall set /etc/ferm/ferm.conf > with /etc/ferm/ferm.d as include directory with a second set > /etc/ferm/ferm-early.conf and /etc/ferm/ferm-early.d, documenting the > fact that ferm-early can't rely on the network being functional. > > This can probably be done easily enough, but I don't have time to test > the service dependency hell.
While not planning to spend much time about this in the next weeks, her are some thoughts. Splitting into ferm-early.service and ferm.service seems feasible. Specifying dependencies to other network-related things will be a challenge. The current After=remote-fs.target is clearly wrong, as this specifies ferm _after_network initialization. The current intention is to start ferm early in the absense of a ferm-early.service. I would like to encourage people who have rulesets needing network to try the split locally and report their experiences (and to show their units). The idea is: ferm-early.service > network-pre.target > Network Management Stack > interfaces configured > remote-fs | network-online > ferm.service A first idea is: ferm-early.service: [Unit] DefaultDependencies=no Before=network-pre.target Wants=network-pre.target ConditionPathExists=!/run/ferm-loaded RefuseManualStart=yes RefuseManualStop=yes would it make sense to explicitly specify Before=systemd-networkd.service Before=NetworkManager.service Before=networking.service? [Service] Environment=CONFIG=/etc/ferm/ferm-early.conf CACHE_DIR=/var/cache/ferm-early Type=oneshot RemainAfterExit=yes ExecStart=ferm-systemd activate ExecStartPost=touch /run/ferm-loaded ExecReload=ferm-systemd activate ExecStop=ferm-systemd deactivate [Install] WantedBy=sysinit.target This relys on all network management daemons saying [Unit] After=network-pre.target We should probable establish the early ruleset in dedicated chains input-early, output-early, forward-early and then just add one catch-all rule in the INPUT, OUTPUT and FORWARD chain. The early ruleset should be liberal, allowing outgoing DNS, incoming and outgoing ICMP (and ICMPv6 including SLAAC), allow the local host to act as DHCP client and NTP client, to establish VPN connections, PPP, bridges, Wifi. Then, the real ferm.service would be: [Unit] After=network-online.target Wants=network-online.target would it make sense to explicitly specify Before=systemd-networkd.service Before=NetworkManager.service Before=networking.service? [Service] Environment=CONFIG=/etc/ferm/ferm.conf CACHE_DIR=/var/cache/ferm Type=oneshot RemainAfterExit=yes # optionally check whether we have working DNS ExecStartPre=getent ahostsv4 debian.org ExecStart=ferm-systemd activate ExecReload=ferm-systemd activate ExecStop=ferm-systemd deactivate [Install] WantedBy=multi-user.target What do you think? Would that work? Greetings Marc
