June 8, 2026 at 1:58 PM, "Marc Haber" <[email protected]> wrote: > > Control: severity -1 important > Thanks > > On Mon, Jun 08, 2026 at 11:36:18AM +0000, David Härdeman wrote: > > > > > In my case, systemd dropped network-manager.service and > > network-online.target, > > meaning the workstations came up with no networking at all. > > > > My local fix (works for me, not 100% sure this is the right way) was > > a drop-in like this: > > > > /etc/systemd/system/ferm.service.d/override.conf > > After= > > After=systemd-journald.socket basic.target > > > Current ferm in unstble has the following unit: > > [Unit] > Description=Firewall configuration with ferm > Documentation=man:ferm(1) > After=remote-fs.target > Before=network-pre.target > Wants=network-pre.target > ConditionPathIsExecutable=/usr/sbin/ferm > ConditionPathExists=/etc/ferm/ferm.conf
Thanks for the prompt reply :) Yes, I'm using ferm from unstable (i.e. 2.7-5), so that matches my current .service file. The problem is the "After=" line, I don't think the firewall should try to come up *after* remote file systems. > Does this solve the issue for you or at least make the situation better? It makes it a little better since it used to be: After=network.target remote-fs.target And now it's only: After=remote-fs.target And I think that "After=network.target" could also have caused issues. > Generally, I would advise to delay the /home NFS mount until the network is > fully up and firwalled. Yeah, I agree that mounting NFS file systems after the network is firewalled makes sense. But that's the problem: the .service file now says that "ferm.service" should be ordered "After=remote-fs.target", which basically states the opposite. And having the NFS /home mount as part of remote-fs.target is not really my choice, that's what systemd does automatically for filesystems marked as _netdev in fstab (or, I think, for filesystems with fstype "nfs" where it can autodetect it). (It also makes sense that the remote file systems (like NFS) would be part of "remote-fs.target", that's pretty much what the target is for) Regards, David
