From 3fb258db47513cfe0b2899780e2e094a2b342713 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 20 Nov 2017 02:42:39 +0100 Subject: [PATCH] network: order qubes-firewall service before enabling IP forwarding Start qubes-firewall (which will add "DROP by default" rule) before enabling IP forwarding, to not leave a time slot where some connection could go around configured firewall. QubesOS/qubes-issues#3269 --- vm-systemd/qubes-firewall.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vm-systemd/qubes-firewall.service b/vm-systemd/qubes-firewall.service index 14f2091..3fb725c 100644 --- a/vm-systemd/qubes-firewall.service +++ b/vm-systemd/qubes-firewall.service @@ -1,7 +1,8 @@ [Unit] Description=Qubes firewall updater ConditionPathExists=/var/run/qubes-service/qubes-firewall -After=qubes-network.service +After=qubes-iptables.service +Before=qubes-network.service [Service] ExecStart=/usr/sbin/qubes-firewall