#1124833 crowdsec-firewall-bouncer should start After=netfilter-persistent

Package:
crowdsec-firewall-bouncer
Source:
crowdsec-firewall-bouncer
Description:
CrowdSec bouncer for firewalls
Submitter:
Wang Jian
Date:
2026-02-04 19:33:03 UTC
Severity:
normal
#1124833#5
Date:
2026-01-07 06:46:42 UTC
From:
To:
This is a long-standing issue and yet not fixed upstream
(but should be).

See reports to upstream here
https://github.com/crowdsecurity/cs-firewall-bouncer/issues/212
and here
https://discourse.crowdsec.net/t/firewall-bouncer-fails-to-start-systemd-ordering-cycle/1265

In short, the use of Before= introduced cycling dependency which
only exhibits itself during the booting process. If you install
crowdsec-firewall-bouncer (and crowdsec) in a live system, it
appears normal. This may lead to unexpected situation that a host
loses all firewall protection by accident and without necessary
notice, or some important services won't run at boot time.

Please fix it in stable, testing and unstable.
--- old
+++ new
@@ -1,7 +1,7 @@
 [Unit]
 Description=The firewall bouncer for CrowdSec
 After=network.target remote-fs.target nss-lookup.target crowdsec.service
-Before=netfilter-persistent.service
+After=netfilter-persistent.service
 ConditionPathExists=!/var/lib/crowdsec/pending-registration

 [Service]