Bug#863802: systemd unit breaks ferm in some setups in jessie->stretch upgrade

To: Debian Bug Tracking System <863802@bugs.debian.org>
Subject: Bug#863802: systemd unit breaks ferm in some setups in jessie->stretch upgrade
From: Gabor Kiss <kissg@probatbicol.hu>
Date: Fri, 08 Nov 2024 09:56:46 +0100
Message-id: <[🔎] 173105620641.33214.6050608398812724960.reportbug@localhost.localdomain>
Reply-to: Gabor Kiss <kissg@probatbicol.hu>, 863802@bugs.debian.org
References: <149623171878.2366.6793121438709748549.reportbug@hullmann.westfalen.local>

Package: ferm
Version: 2.5.1-1.1
Followup-For: Bug #863802

Dear Alex,

The similar problem arises in bookworm.
After intensive debugging I found that when ferm starts the
(statically configured) network interfaces have no IP address yet.
I was forced to override the unit file to get ferm working after boot.

> Which is funny. We had a bunch of bugs about ferm starting late where
> everyone stated it should be up before the network is up. 

Should be but it can not.

The others say: for security reasons traffic filtering must be functional
before the first network packet arrives. That is a laudable conception
but unfortunately it is not operable in every situation.
The result: the host has no protection at all.

> Someone should decide, which is not me. Therefore I don't think this is
> grave.

Okay, that is ME who decides. :-) Ferm MUST wait the networking
to be fully up.
A host without protection for half a seconds is far better than
an unprotected host.

At least README.Debian should discuss this problem and should
give a recipe for admins in the same situation.

Sorry if I was too pushy.

Cheers

Gabor

-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-27-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ferm depends on:
ii  debconf                    1.5.82
ii  init-system-helpers        1.65.2
ii  iptables                   1.8.9-2
ii  perl                       5.36.0-7+deb12u1
ii  sysvinit-utils [lsb-base]  3.06-4

Versions of packages ferm recommends:
ii  libnet-dns-perl  1.36-1

ferm suggests no packages.

-- Configuration Files:
/etc/ferm/ferm.conf [Errno 13] Permission denied: '/etc/ferm/ferm.conf'

-- debconf information:
* ferm/enable: false

Reply to:

Prev by Date: Processing of nitpic_0.1-20_source.changes
Next by Date: ucspi-proxy_0.99-5_source.changes ACCEPTED into unstable
Previous by thread: Processing of nitpic_0.1-20_source.changes
Next by thread: ucspi-proxy_0.99-5_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread