As I have posted the problem in the forum first I had the following reply
----------------------------------------
I have exactly the same problem. Also in my case, upgrade to 15.10 did not help. Searching the Internet for workarounds did not help either (except that this thread and a Debian bug report showed up). So I came up with my own workaround.
Shorewall does not come with a systemd native service unit description. Such description is being generated at boot by /lib/systemd/system-generators/systemd-sysv-generator based on /etc/init.d/shorewall. I have noticed, however, that the LSB header of /etc/init.d/shorewall wants the service to be started from /etc/rcS.d, which is pretty early, and at the same time it has Required-Start: $network $remote_fs, which is a pretty strong requirement. In fact, this is the only script in /etc/rcS.d that requires $network (well, except shorewall6, which exhibits exactly the same problem). Looking into the auto-generated unit in /run/systemd/generator.late/shorewall.service shows:
This looks problematic: sysinit.target is a very early target, most higher level services are started after it, and on many systems (including mine) various dependencies will make network-online.target available only after sysinit.target. So in the end, I wrote my own shorewall.service definition and put it in /etc/systemd/system to override the auto-generated one:
[Unit]
Documentation=man:shorewall
Description=Configure the IPv4 firewall at boot time
DefaultDependencies=no
After=local-fs.target systemd-sysctl.service
Before=network-pre.target shutdown.target
Wants=network-pre.target
Conflicts=shutdown.target
This works for me, but I had very specific requirement: for security reasons, I wanted my firewall be up before any network interfaces are up. That means that no remote filesystems will be mounted yet when shorewall start runs and all shorewall config files have to be on a local filesystem. Additionally, /etc/default/shorewall does not define any wait_interfaces.
As I have posted the problem in the forum first I had the following reply ------- ------- ------- ------- -----
-------
I have exactly the same problem. Also in my case, upgrade to 15.10 did not help. Searching the Internet for workarounds did not help either (except that this thread and a Debian bug report showed up). So I came up with my own workaround.
Shorewall does not come with a systemd native service unit description. Such description is being generated at boot by /lib/systemd/ system- generators/ systemd- sysv-generator based on /etc/init. d/shorewall. I have noticed, however, that the LSB header of /etc/init. d/shorewall wants the service to be started from /etc/rcS.d, which is pretty early, and at the same time it has Required-Start: $network $remote_fs, which is a pretty strong requirement. In fact, this is the only script in /etc/rcS.d that requires $network (well, except shorewall6, which exhibits exactly the same problem). Looking into the auto-generated unit in /run/systemd/ generator. late/shorewall. service shows:
DefaultDependen cies=no sysinit. target shutdown.target online. target remote-fs.target online. target shutdown. target
Before=
After=network-
Wants=network-
Conflicts=
This looks problematic: sysinit.target is a very early target, most higher level services are started after it, and on many systems (including mine) various dependencies will make network- online. target available only after sysinit.target. So in the end, I wrote my own shorewall.service definition and put it in /etc/systemd/system to override the auto-generated one:
[Unit] man:shorewall Configure the IPv4 firewall at boot time cies=no fs.target systemd- sysctl. service network- pre.target shutdown.target pre.target shutdown. target
Documentation=
Description=
DefaultDependen
After=local-
Before=
Wants=network-
Conflicts=
[Service] /etc/init. d/shorewall start /etc/init. d/shorewall stop /etc/init. d/shorewall restart
Type=oneshot
RemainAfterExit=yes
TimeoutSec=30
Restart=no
IgnoreSIGPIPE=no
KillMode=none
ExecStart=
ExecStop=
ExecReload=
[Install] network- online. target
WantedBy=
After that, the service is installed by:
$ sudo systemctl enable shorewall.service
This works for me, but I had very specific requirement: for security reasons, I wanted my firewall be up before any network interfaces are up. That means that no remote filesystems will be mounted yet when shorewall start runs and all shorewall config files have to be on a local filesystem. Additionally, /etc/default/ shorewall does not define any wait_interfaces.
------- ------- ------- ------- ------- ------- ------- ------- ------- -----