Comment 1 for bug 1823051

Two possible fixes for this are 1) to add ReadWritePaths=-/etc/ufw to the knockd.service, or 2) change the knockd.service from ProtectSystem=full to ProtectSystem=true. Relaxing the ProtectSystem might actually be the best approach since the only change between 'full' and 'true' is allowing r/w access to /etc.