JohnMertz
commented
2 months ago There is a systemd loop with UFW. The default unit file wants 'network-pre.target' and should run before it. However, other services in MailCleaner need networking to be up already. UFW needs mariadb to be running to run the dump script, but it won't run until the network is up, and the network won't be up until UFW is.
So, there's a few possible solutions:
-
I tried to remove the 'wants' and 'before' on 'network-pre' with an override file, but this did not work.
-
Instead, UFW should probably be allowed to run at all times, and MailCleaner should simply load in it's rules on start and unload them on stop (and be able to report whether they are loaded on status). This probably means creating a different unit which is just responsible for loading and unloading the rules and we can detect that. This would also allow a different set of rules for mailcleaner-stopped.target.
-
Alternatively, we could mask the existing unit so that networking starts without UFW, then make a new, nearly identical unit that only starts when mailcleaner is running. This would make the networking configuration less extensible and would not allow different rules for mailcleaner-stopped.target.
I'm still getting up to speed on the UFW configuration to figure out how to best dynamically load and unload rules.
In order to smooth the transition from iptables to nftables, I'm going to leverage
ufwconfiguration files to generate the rules instead.Since services are now running with lower permissions, it will also be necessary to configure additional non-privileged ports to forward to privileged ones.