Skip to content

nofirewall option does not always work

When booting with nofirewall, sometimes the firewall is still activated. I experienced this more often on faster machines with many cores than on slower ones.

Here is an excerpt of the journal from when it failed and iptables still got initialized:

Apr 04 13:20:36 sysrescue sysrescue-initialize[619]: Found option 'nofirewall' on the boot command line
Apr 04 13:20:36 sysrescue pacman-key[655]: gpg: porting secret keys from '/etc/pacman.d/gnupg/secring.gpg' to gpg-agent
Apr 04 13:20:36 sysrescue pacman-key[655]: gpg: migration succeeded
Apr 04 13:20:36 sysrescue pacman-key[666]: gpg: Generating pacman keyring master key...
Apr 04 13:20:36 sysrescue sysrescue-initialize[661]: Removed /etc/systemd/system/multi-user.target.wants/ip6tables.service.
Apr 04 13:20:36 sysrescue sysrescue-initialize[661]: Removed /etc/systemd/system/multi-user.target.wants/iptables.service.
Apr 04 13:20:36 sysrescue systemd[1]: Reloading.
Apr 04 13:20:36 sysrescue systemd-gpt-auto-generator[684]: EFI loader partition unknown, exiting.
Apr 04 13:20:36 sysrescue systemd-gpt-auto-generator[684]: (The boot loader did not set EFI variable LoaderDevicePartUUID.)
Apr 04 13:20:36 sysrescue systemd[1]: Finished Setup Virtual Console.
Apr 04 13:20:36 sysrescue audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-vconsole-setup comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Apr 04 13:20:36 sysrescue audit[616]: NETFILTER_CFG table=filter family=2 entries=4 op=xt_replace pid=616 comm="iptables-restor"
Apr 04 13:20:36 sysrescue systemd[1]: iptables.service: Main process exited, code=killed, status=15/TERM
Apr 04 13:20:36 sysrescue systemd[1]: iptables.service: Failed with result 'signal'.
Apr 04 13:20:36 sysrescue systemd[1]: Stopped IPv4 Packet Filtering Framework.
Apr 04 13:20:36 sysrescue audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=iptables comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Apr 04 13:20:36 sysrescue systemd[1]: Reached target Network (Pre).

It seems like systemd is starting the iptables service and is then killing it, but is too late.

I guess the reason is missing explicit ordering in the service files. I plan to create a fix for this.