port to netfilter-persistent?


ID: 487
PHID: PHID-TASK-w4s7a4zwtnzanvswulam
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal


  • port to netfilter-persistent?
    ** It might be more appropriate to get the firewall loaded before any networking gets up than whonix-firewall.service.
    ** Could therefore simplify the setup, and
    ** allow additional custom/extension-package firewall rules being load before and after Whonix Firewall.

  • NOT iptables-persistent
    ** (which is more useful to local system administrators rather than distribution maintainers)

cat /usr/share/doc/netfilter-persistent/README
netfilter-persistent and its plugins

netfilter-persistent does no work on its own. You need the accompanying
plugins (for example, iptables-persistent) to load and save filter rules.

However, commands are run from netfilter-persistent. For example, to save
all filter rules:

   netfilter-persistent save

or to load them:

   netfilter-persistent start

For more details, see `man netfilter-persistent`.

The system service will try to load rules at startup if enabled, but by
default it will not flush rules at shutdown. This behaviour can be changed
by editing /etc/default/netfilter-persistent.

 -- Jonathan Wiltshire <jmw@debian.org>  Sat, 02 Jan 2016 00:00:00 +0000

       netfilter-persistent uses a set of plugins to load, flush and save netfilter rules at boot and halt time.  Plugins can be written in any suitable language and stored in
       Plugins  can  be written in any language and are merely executed by netfilter-persistent with a single argument.  All plugins are stored in /usr/share/netfilter-persis‐

       Plugins must implement the start flush and save arguments and must not rely on additional arguments for other functionality.
       Plugins must return 0 on success and any other code on failure.

       Plugins are free to use and extend the configuration in /etc/default/netfilter-persistent and to implement their own configuration files.


systemd feature request:
please provide a firewall scripts drop-in folder



2016-03-29 01:45:02 UTC


2016-03-29 14:44:53 UTC


2016-03-30 02:29:13 UTC


2017-11-05 23:38:59 UTC


2016-10-12 14:38:59 UTC