Lennart Poettering wrote: > On Thu, 11.11.10 14:06, Andreas Jaeger ([email protected]) wrote: > > On Thursday 11 November 2010 12:50:44 Kay Sievers wrote: > > > [...] > > > > Anyway, the point of this was only to have getty start late(ish) in > > > > the boot process, after most of the other services that are pulled in > > > > by multi-user.target. Maybe there is a better way to specify this, if > > > > not everyone has rc.local? > > > > > > Yeah, others asked for that too. So far, we don't really have a > > > concept of 'late' or 'last' in systemd. > > > > Yes, we had this in openSUSE as well the $ALL target to have the firewall > > called at the end so that it could handle services with dynamic ports. > > For details see https://bugzilla.novell.com/show_bug.cgi?id=652608 > > Can't say I like this approach to firewalls. Matching against ports is a > thing of the past. They firewall people should match against processes, > that's the only remotely sensible thing and then all of this would not > be necessary.
You lost me here. > I am really not a big fan of Suse's $ALL extension. Making SuSEfirewall2 run last via $ALL mostly is a boot speed optimization. The filtering rules (potentially) need to be adjusted each time a network interface appears or if an RPC service like ypbind or nfsd changes ports. SuSEfirewall2 can't do either operation incrementally (yet). So if it's known beforehand that an event would cause several SuSEfirewall2 calls it's better to block all calls and only do one full run at the end. That's the case during boot and when calling rcnetwork restart. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
