Hmm, the firewall actually needs to be initialized before we set up the various .socket units, so that there is no time window where the socket is bound but the firewall not yet up. Currently there is no nice way to order a service before all sockets are up. I have now added to the TODO list that we should introduce "sockets-pre.target" which would be sorted before all socket units, and before which the fw would then have to sort itself.

That also means that any firewall setup needs to happen as part of early boot.

sockets-pre.target would be ordered before basic.target, normal services are ordered after basic.target. That means all normal services would then be run with firewall up. sockets-pre.target would hence be a more generic firewall.target the way you requested it.

Actually thinking about, "sysinit.target" which is run before all sockets already does the job of a "sockets-pre.target" just fine, so don't really need the latter.

hence: please make your fw services an early-boot service, and order it before sysinit.target, and you can be sure that it will be up before any system sockets or bound or any normal services are run.

(In reply to comment #2)
> Actually thinking about, "sysinit.target" which is run before all sockets
> already does the job of a "sockets-pre.target" just fine, so don't really
> need the latter.
> 
> hence: please make your fw services an early-boot service, and order it
> before sysinit.target, and you can be sure that it will be up before any
> system sockets or bound or any normal services are run.

Thanks for the suggestion.  Just to be sure I have it correct, is this the correct syntax for /usr/lib/systemd/system/ufw.service?

[Unit]
Description=CLI Netfilter Manager

[Service]
Type=oneshot
ExecStart=/usr/lib/ufw/ufw-init start
ExecStop=/usr/lib/ufw/ufw-init stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
Before=sysinit.target

Before= is a [Unit] section setting. See 'man systemd.unit' for more information.

Thank you for the reference to the manpage.

Actually, this does NOT work. Here is a clean startup:

% status ufw
ufw.service - CLI Netfilter Manager
Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled)
Active: inactive (dead)

Jan 22 09:14:18 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:18 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:19 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:19 reborn systemd[1]: Started CLI Netfilter Manager.
Jan 22 10:08:33 reborn systemd[1]: Stopping CLI Netfilter Manager...
Jan 22 10:08:33 reborn systemd[1]: Stopped CLI Netfilter Manager.
Jan 22 10:12:09 reborn systemd[1]: Stopped CLI Netfilter Manager.
Jan 22 10:12:15 reborn systemd[1]: Starting CLI Netfilter Manager...
Jan 22 10:12:16 reborn systemd[1]: Started CLI Netfilter Manager.
Jan 22 10:14:28 reborn systemd[1]: Job ufw.service/stop deleted to break ordering cycle starting with sysinit.target/stop

Created attachment 73472 [details]
proposed ufw.service

DefaultDependencies=no is essential for early-boot services. (Which the attached file already uses correctly). In that file you do want to use "Conflicts=shutdown.target" and "Before=shutdown.target" btw, so that the thing gets shutdown at boot.  

The attached units looks pretty good otherwise.

Is it the attached unit file that doesn't work btw? Or is everything solved now? It's a bit unclear here...

The attachment of comment #7 works wonderfully. Prior to that, the service was failing due the missing "DefaultDependencies=no" entry required when using "Before=sysinit.target".

I didn't find the absence of shutdown.target detrimental so far, but I'll add them just to be safe and submit the complete service file to the ufw project.

Thank you for the valuable input.