Yes and no. As I mentioned I tried to combine both .service files by using the following logic:
SuSEfirewall2.service wants SuSEfirewall2_init.service which contains:
OTOH SuSEfirewall2.service should run:
After=network.target ypbind.service nfs.service nfsserver.service rpcbind.service SuSEfirewall2_init.service
which means that combined in one single condition this would means my script should run between the same Before and After. So I have combined all these 3 lines from above and removed the trailing “SuSEfirewall2_init.service” in the After as it will not be used.
BTW I think it might be relevant to add in the Unit also:
to ensure both firewalls cannot be started at simultaneously.
Looking at network.target 2 lines catch my attention:
Following the doc link I read:
network-pre.target is a target that may be used to order services before any network interface is configured. It’s primary purpose is for usage with firewall services that want to establish a firewall before any network interface is up. It’s a passive unit: you cannot start it directly and it is not pulled in by the the network management service, but by the service that wants to run before it. Network management services hence should set After=network-pre.target, but avoid any Wants=network-pre.target or even Requires=network-pre.target. Services that want to be run before the network is configured should place Before=network-pre.target and also set Wants=network-pre.target to pull it in. This way, unless there’s actually a service that needs to be ordered before the network is up the target is not pulled in, hence avoiding any unnecessary synchronization point.
If I understand correctly this means the firewall service must be set before the network.
Also because network.target is run after network-pre.target and network.service is a link to /usr/lib/systemd/system/wicked.service which in turn:
**Wants=network.target** wickedd.service wickedd-nanny.service
means that any attempt to have a “Requires=network.service” will also make the system Want network.target which is against the docs.
(the following is just my personal speculation)
I imagine the following scenario: At boot time there is no network for some reason (wicked failed to connect or something not configured etc). The mandatory “Requires=network.service” makes the firewall service fail = no protection, no masquerade etc. Later on the system administrator fixes the network and starts the network.service but the firewall remains off = security problem. I suppose that’s why they make the firewall to be started Before network.service and not fail because of its mandatory requirements.
Please correct me if I am wrong. I am not an expert, still learning.