rustybird
commented
8 years ago Easier said than done, because the failure might e.g. be in calling the iptables binary itself. So we'd still need to prevent the network from starting, which is already done automatically for systemd-networkd or Qubes users and documented for other users at the beginning of https://github.com/rustybird/corridor/blob/master/README.md#systemd
In case some corridor systemd service or corridor binary fails (perhaps due to some configuration mistake or hypothetical corridor bug), please iptables lock all networking.
Or maybe better, have a corridor service that locks the network first and have corridor on success unlock it.