[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: way of starting a firewall script in debian 9 with kde5 and sddm



On 18/10/17 01:25, Ben Caradoc-Davies wrote:
> On 18/10/17 01:08, Stephane L wrote:
>> Hi,I have a firewall script(firewall) that I laucnh with <firewall
>> start>Is there a way in debian 9 (with kde5 and sddm) to start this
>> script at the boot of the linux system or at the launching of xorg or
>> of kde5 ?
> 
> systemd units are easy to write (this is the main benefit of systemd)
> and can be configured run at boot time. Here is one I wrote for
> iptables+ip6tables (because I do not want changes to persist across
> boots, just clean rules on boot). You will need a different Type if your
> program does not exit:
> 
> $ cat /etc/iptables/iptables.service
> [Unit]
> Description=iptables rules
> After=network.target
> [Service]
> Type=oneshot
> ExecStart=/bin/bash -c "/sbin/iptables-restore <
> /etc/iptables/iptables.rules"
> ExecStart=/bin/bash -c "/sbin/ip6tables-restore <
> /etc/iptables/ip6tables.rules"
> RemainAfterExit=yes
> ExecStop=/sbin/iptables -F
> ExecStop=/sbin/ip6tables -F
> [Install]
> WantedBy=multi-user.target
> 
> I enabled it with:
> 
> systemctl enable /etc/iptables/iptables.service
> 
> This should add the required symlink in /etc/systemd/system .

Mine's a bit different, and rather shorter ... any comments welcome:

/etc/systemd/system/firewall.service:
---------------------------------------
[Unit]
Before=network-pre.target

[Service]
ExecStart=/etc/network/firewall
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=network.target
---------------------------------------

I don't want the network up without the firewall, so it goes before the
network. Likewise, I don't want it ever down, so there's no ExecStop.

/etc/network/firewall is a short script that sources firewall4 (and
firewall6 if I had one. I probably should ...).

I wasn't aware of or familiar with the idea of putting it somewhere else
and enabling/disabling it; I'm not sure if I need that.

Richard

Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: