1

I am using ufw on Alpine linux.

I have configured it in a pretty standard way:

apk add --no-cache ufw
ufw allow ssh
ufw allow http
ufw allow https
ufw limit ssh
ufw enable
rc-update add ufw default

But I am not sure if I should be setting it's runlevel to boot so I am sure it starts before any other services (ssh and docker (and therefor http/https services) are both set to start at default).

Does it matter? I don't believe alpine's RC system has a dependency setup like you might find in systemd.

markson edwardson
  • 169
  • 7
  • Alpine uses OpenRC and its startup scripts are readable, so read the rc scripts and decide where it fits the best. BTW, Alpine uses ifupdown-ng which allows to run pre/post scripts when iface is activated/deactivated. See https://github.com/ifupdown-ng/ifupdown-ng/blob/master/doc/ifupdown-executor.scd – Jiri B Apr 03 '21 at 19:20

1 Answers1

0

Alpine preference is to use awall, Alpine iptables wrapper. And it uses default runlevel for iptables (awall generates iptables rules).

So, in most cased default runlevel is OK.

But see that your networking is activated in boot runlevel, so if you are paranoid just use ifupdown-ng pre/post scripts.

Jiri B
  • 497
  • 2
  • 11
  • I think the question is mostly academic, unless you're a high value target that some how gets targeted *right between reboots*, if awall starts at default that's good enough for me! – markson edwardson Apr 04 '21 at 02:44
  • Well, could be. For example OpenBSD starts its firewall (packet filter, PF) very early, before networking is enabled. See https://github.com/openbsd/src/blob/master/etc/rc#L402. Then user defined rules are loaded little bit later, https://github.com/openbsd/src/blob/master/etc/rc#L460. – Jiri B Apr 04 '21 at 08:58
  • That's quite clever. – markson edwardson Apr 04 '21 at 10:48