use http://mdcc.cx/pub/uruk/uruk-20180528.tar.xz.asc in debian/watch this issue might have been (partly) fixed in 20160219-2 : see also zebraika log.pod on systems with "a lot" of ip adresses/network interfaces, after boot systemd feels uruk is borken. observed at e.g. system 'poncelet', running Debian jessie w/ uruk 20160219-1. Nov 13 12:19:42 poncelet systemd[1]: Starting Uruk firewall service... Nov 13 12:19:42 poncelet systemd[1]: Started Uruk firewall service. Nov 13 12:19:42 poncelet systemd[1]: Stopping Uruk firewall service... Nov 13 12:19:42 poncelet systemd[1]: Started Uruk firewall service. Nov 13 12:19:42 poncelet systemd[1]: Stopping Uruk firewall service... Nov 13 12:19:42 poncelet systemd[1]: Starting Uruk firewall service... etc etc /etc/network/if-up.d/uruk calls "invoke-rc.d uruk force-reload" calls "systemctl restart uruk" we observe service uruk status groen repeat 20; do sleep 0.001; systemctl restart uruk; done rood systemctl restart uruk service uruk status groen when dhcp assigns a different ip to a networkinterface, ifupdown is _not_ noticed. The uruk ifupdown hook claims to deal with dynamic networking, but therefore fails. Cranking up limits in /lib/systemd/system/uruk.service wont really help; it will break on system which have even more nics. do we want this: # systemctl -p CanReload show uruk CanReload=no ? the best solution very likely is: get rid of /etc/network/if-up.d/uruk . however, this needs a _lot_ of testing. e.g. on poncelet we've observed systemd feels uruk is "ok" after boot, and no iptables rules have been loaded... test op okutank, en lever m weer netjes terug. root@okutank:~# grep -i uruk /var/log/syslog | grep systemd Dec 4 14:33:06 okutank systemd[1]: Stopped Uruk firewall service. Dec 4 14:33:23 okutank systemd[1]: Starting Uruk firewall service... Dec 4 14:33:23 okutank systemd[1]: Started Uruk firewall service. Dec 4 14:33:23 okutank systemd[1]: Stopped Uruk firewall service. Dec 4 14:33:23 okutank systemd[1]: Stopping Uruk firewall service... Dec 4 14:33:23 okutank systemd[1]: Starting Uruk firewall service... Dec 4 14:33:23 okutank systemd[1]: Started Uruk firewall service. Dec 4 14:33:25 okutank systemd[1]: Stopped Uruk firewall service. Dec 4 14:33:25 okutank systemd[1]: Stopping Uruk firewall service... Dec 4 14:33:25 okutank systemd[1]: Starting Uruk firewall service... Dec 4 14:33:25 okutank systemd[1]: Started Uruk firewall service. Dec 4 14:33:25 okutank systemd[1]: Stopped Uruk firewall service. Dec 4 14:33:25 okutank systemd[1]: Stopping Uruk firewall service... Dec 4 14:33:25 okutank systemd[1]: Starting Uruk firewall service... Dec 4 14:33:25 okutank systemd[1]: Started Uruk firewall service. root@okutank:~# service uruk status groen root@okutank:~# iptables -L -n -v | wc -l 81 root@okutank:/etc/network/if-up.d# mv uruk ~/ root@okutank:~# reboot root@okutank:~# iptables -L -n -v | wc -l 8 stuk dus nu root@okutank:~# service uruk status Active: inactive (dead) root@okutank:~# service uruk restart root@okutank:~# service uruk status Active: active (exited) since Mon 2017-12-04 14:36:20 CET; 2s ago groen root@okutank:~# mv uruk /etc/network/if-up.d/ tijdens boot zonder if-up.d ding: Dec 4 14:35:33 okutank systemd-timesyncd[474]: Synchronized to time server 137.56.247.195:123 (ntp1.uvt.nl). Dec 4 14:35:34 okutank systemd[1]: Started Raise network interfaces. Dec 4 14:35:34 okutank systemd[1]: Reached target Network. Dec 4 14:35:34 okutank systemd[1]: Starting OpenBSD Secure Shell server... Dec 4 14:35:34 okutank systemd[1]: Reached target Network is Online. Dec 4 14:35:34 okutank systemd[1]: Starting /etc/rc.local Compatibility... Dec 4 14:35:35 okutank systemd[1]: Started The Apache HTTP Server. Dec 4 14:35:35 okutank systemd[1]: Started Postfix Mail Transport Agent (instance -). Dec 4 14:35:35 okutank systemd[1]: Starting Postfix Mail Transport Agent... Dec 4 14:35:35 okutank systemd[1]: Started Postfix Mail Transport Agent. Dec 4 14:35:35 okutank systemd[1]: Startup finished in 1.329s (kernel) + 2.940s (userspace) = 4.270s. Dec 4 14:36:19 okutank systemd[1]: Starting Uruk firewall service... Dec 4 14:36:20 okutank urukctl[1780]: Saving IPv6 uruk rules as active ruleset. Dec 4 14:36:20 okutank kernel: [ 50.115249] ip6_tables: (C) 2000-2006 Netfilter Core Team Dec 4 14:36:20 okutank systemd[1]: Started Uruk firewall service. Dec 4 14:36:20 okutank systemd[1]: Reached target Network (Pre). we no longer try to support handling dynamic IPs out of the box. early in the boot process, uruk assumes all to be assigned IPs are known. we load the final uruk ruleset early in boot. if-up.d: use urukctl, not invoke-rc.d, to work around bug^wfeature^wbug in systemd root@okutank:~# ls -l /var/lib/uruk/* /var/lib/uruk/ip6tables: total 16 -rw-r--r-- 1 root root 8101 Dec 4 14:36 active -rw-r--r-- 1 root root 0 Dec 4 14:36 autosave -rw-r--r-- 1 root root 7798 Feb 22 2016 inactive /var/lib/uruk/iptables: total 16 -rw-r--r-- 1 root root 7404 Dec 4 14:36 active -rw-r--r-- 1 root root 0 Dec 4 14:36 autosave -rw-r--r-- 1 root root 6289 Feb 22 2016 inactive root@okutank:~# mv /etc/network/if-up.d/uruk ~/ root@okutank:~# reboot root@okutank:~# iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination root@okutank:~# service uruk status ● uruk.service - Uruk firewall service Loaded: loaded (/lib/systemd/system/uruk.service; static; vendor preset: enabled) Active: inactive (dead) systemctl status uruk root@okutank:~# systemctl show uruk | wc -l 175 GuessMainPID=yes MainPID=0 LoadState=loaded ActiveState=inactive SubState=dead CanReload=no StartLimitBurst=5 StartLimitAction=none пон 04 15:39 < joostvb> systemctl status foo пон 04 15:39 < joostvb> zegt пон 04 15:39 < joostvb> Active: inactive (dead) пон 04 15:39 < joostvb> hoe kom je dr achter waarom systemd dat zo gedaan heeft? пон 04 15:39 < joostvb> systemctl show foo пон 04 15:39 < joostvb> dat helpt niet root@okutank:~# urukctl start root@okutank:~# service uruk status ● uruk.service - Uruk firewall service Loaded: loaded (/lib/systemd/system/uruk.service; static; vendor preset: enabled) Active: inactive (dead) root@okutank:~# iptables -L -n -v | wc -l 81 root@okutank:~# service uruk start root@okutank:~# service uruk status groen Active: active (exited) since Mon 2017-12-04 15:42:39 CET; 2s ago root@okutank:~# mv /etc/network/if-up.d/uruk ~/ root@okutank:~# reboot root@okutank:~# service uruk status ● uruk.service - Uruk firewall service Loaded: loaded (/lib/systemd/system/uruk.service; static; vendor preset: enabled) Active: inactive (dead) root@okutank:~# systemctl status --all ● okutank State: running Jobs: 0 queued Failed: 0 units ● apt-daily.service - Daily apt download activities Loaded: loaded (/lib/systemd/system/apt-daily.service; static; vendor preset: enabled) Active: inactive (dead) Docs: man:apt(8) ● apt-daily.timer - Daily apt download activities Loaded: loaded (/lib/systemd/system/apt-daily.timer; enabled; vendor preset: enabled) Active: active (waiting) since Mon 2017-12-04 15:52:54 CET; 1min 24s ago root@okutank:/sbin# cp -a urukctl,bak urukctl root@okutank:/sbin# vi urukctl Dec 6 15:25:27 okutank urukctl[511]: running urukctl... root@okutank:~# mv /etc/network/if-up.d/uruk ~/ root@okutank:~# reboot Dec 6 15:27:47 okutank systemd[1]: Stopping Service for virtual machines hosted on VMware... Dec 6 15:27:59 okutank systemd-modules-load[291]: Module 'ipv6' is builtin root@okutank:~# grep urukctl /lib/systemd/system/uruk.service ExecStart=/sbin/urukctl start root@okutank:~# grep running /sbin/urukctl | tail -1 echo "running urukctl..." 1>&2 "masked" oid? nope: root@okutank:~# systemctl list-unit-files | grep -C2 uruk umountroot.service masked urandom.service static uruk.service static user@.service static vgauth.service enabled uruk moet bij een target horen hij moet niet "static" maar "enabled" zijn, wellicht dit schijnt wel te werken сре 06 15:38 <%Fruit> [Install] сре 06 15:38 <%Fruit> WantedBy=network-pre.target is w/s goed [Unit] сре 06 15:39 < joostvb> Wants=network-pre.target сре 06 15:39 < joostvb> Before=network-pre.target shutdown.target is fout we willen dat network.pre depend op uruk misschien werkt dit of zo: [Unit] Description=Uruk firewall service DefaultDependencies=no [Install] WantedBy=network-pre.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/sbin/urukctl start root@okutank:/lib/systemd/system# cp -a uruk.service ~/ root@okutank:/lib/systemd/system# vi uruk.service nu: root@okutank:~# systemctl list-unit-files | grep -C2 uruk uruk.service disabled root@okutank:~# systemctl enable uruk Synchronizing state of uruk.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable uruk uruk.service enabled restore alles weer: root@okutank:/sbin# mv urukctl,bak urukctl root@okutank:~# mv uruk /etc/network/if-up.d/uruk root@okutank:~# mv uruk.service /lib/systemd/system/ * debian/{postinst,postrm}: ship a symlink to /dev/null as /lib/systemd/system/uruk.service since the uruk init script is not applicable in systemd: we use ifupdown. Fixes "uruk: Has init script in runlevel S but no matching service file". Thanks fsateler@d.o. Closes: #796700 nb: #796700 has been closed # systemd #796700 - uruk: Has init script in runlevel S but no matching service file # "[...] the script is simply not applicable in systemd, in which case the package # should ship a symlink to /dev/null as /lib/systemd/system/.service." # https://wiki.debian.org/Teams/pkg-systemd/rcSMigration if ! test -L /lib/systemd/system/uruk.service then ln -s /dev/null /lib/systemd/system/uruk.service fi https://wiki.debian.org/Teams/pkg-systemd/rcSMigration : Your service is needed to configure firewalls or network interfaces If you need to configure firewalls, network interfaces, or anything else which needs to happen before bringing up the first network interface, then you should order the service as follows (eg, if you need to run before ifupdown/networkd): [Unit] Description=An early boot service DefaultDependencies=no Wants=network-pre.target Before=network-pre.target shutdown.target Conflicts=shutdown.target Lots of other ideas: drop default rule: "check if incoming traffic is targetted at current IP": make it possible to have sane uruk rules _without_ knowing current IP. before any interface is up: drop all traffic, via init script or --- Check out http://wiki.debian.org/FirewallByDefault and http://wiki.debian.org/Firewalls . Check out https://wiki.ubuntu.com/UbuntuFirewall https://wiki.ubuntu.com/UncomplicatedFirewall aka "ufw" Supply a script to consume /etc/ufw/applications.d/ , e.g.: joostvb@incagijs:~% cat /etc/ufw/applications.d/openssh-server [OpenSSH] title=Secure shell server, an rshd replacement description=OpenSSH is a free implementation of the Secure Shell protocol. ports=22/tcp We might want to check /var/lib/uruk/iptables stuff on purge/removal/reinstallation. (Currently, it's kept on purge.) Recheck http://women.alioth.debian.org/wiki/index.php/English/MaintainerScripts . Use doc-base for registering documentation, replace our md5sums generating stuff with something like: . while read f; do \ exclude="$$exclude ! -path \".$$f\" "; \ done < debian/conffiles; \ cd debian/$(package); \ find . -type f $$exclude ! -regex '.*/DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums; . This honors conffiles. Or just call dh_md5sums... (And we might choose to go use debhelper for all the rest, or cdbs, while we're at it.)