action #45731: Bug: firewalld is blocking everything until it's restarted - invisAD-setup - openSUSE Project Management Tool

action #45731

Bug: firewalld is blocking everything until it's restarted

Added by flacco over 4 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Urgent

Assignee:

ingogoeppert

Category:

Target version:

14.2

Start date:

2019-01-04

Due date:

2019-08-31

% Done:

100%

Estimated time:

Description

After a reboot of an invis server the new firwalld daemon is blocking everything until it is restarted.

History

#1 Updated by flacco over 4 years ago

Related to action #36079: Modify sine2 / invisAD-setup to be compatible with leap 15 added

#2 Updated by flacco over 4 years ago

Status changed from New to In Progress
% Done changed from 0 to 80

It seems that firewalld starts to early. The original service-unit file defines to start firewalld before "network-pre.target":

"[Unit]
Description=firewalld - dynamic firewall daemon
Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
..."

Starting firewalld later brings the risk that the system runs for a few moments without the firewall. Sytemd knows three different network targets. "network-pre.target", "network.target" and "network-online.target". The last one means that all network interfaces are up and online. Starting the firewall before this target should be secure enough.

Changing the firewalld service-unit file to:

"[Unit]
Description=firewalld - dynamic firewall daemon
After=network-pre.target
Before=network-online.target
After=dbus.service
After=polkit.service
..."

did the job. This should be secure enough.