
  * debian/{postinst,postrm}: ship a symlink to /dev/null as
    /lib/systemd/system/uruk.service since the uruk init script is not
    applicable in systemd: we use ifupdown.  Fixes "uruk: Has init script in
    runlevel S but no matching service file".  Thanks fsateler@d.o.
    Closes: #796700


    # systemd #796700 - uruk: Has init script in runlevel S but no matching service file
    # "[...] the script is simply not applicable in systemd, in which case the package
    # should ship a symlink to /dev/null as /lib/systemd/system/<initscript>.service."
    # https://wiki.debian.org/Teams/pkg-systemd/rcSMigration
    if ! test -L /lib/systemd/system/uruk.service
    then
        ln -s /dev/null /lib/systemd/system/uruk.service
    fi

https://wiki.debian.org/Teams/pkg-systemd/rcSMigration :

Your service is needed to configure firewalls or network interfaces

If you need to configure firewalls, network interfaces, or anything else which
needs to happen before bringing up the first network interface, then you should
order the service as follows (eg, if you need to run before ifupdown/networkd):

 [Unit]
 Description=An early boot service
 DefaultDependencies=no
 Wants=network-pre.target
 Before=network-pre.target shutdown.target
 Conflicts=shutdown.target


Lots of other ideas: drop default rule: "check if incoming traffic is targetted at current IP":
make it possible to have sane uruk rules _without_ knowing current IP.   before any interface is up:
drop all traffic, via init script or systemd early boot.  once an interface is up, load rules, via
ifupdown or ...




---

Check out http://wiki.debian.org/FirewallByDefault and
http://wiki.debian.org/Firewalls .

Check out https://wiki.ubuntu.com/UbuntuFirewall

Add package tags to description using e.g. package browser:
http://debian.vitavonni.de/packagebrowser/?tags=security%2Cnetwork%2Csecurity%3A%3Afirewall
(it seems this can't yet be done in control file).

We might want to check /var/lib/uruk/iptables stuff on
purge/removal/reinstallation.  (Currently, it's kept on purge.)

Recheck http://women.alioth.debian.org/wiki/index.php/English/MaintainerScripts
.

Use doc-base for registering documentation, replace our md5sums generating
stuff with something like:
.
 while read f; do \
  exclude="$$exclude ! -path \".$$f\" "; \
 done < debian/conffiles; \
  cd debian/$(package); \
  find . -type f $$exclude ! -regex '.*/DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums;
.
This honors conffiles.  Or just call dh_md5sums...  (And we might choose to go
use debhelper for all the rest, or cdbs, while we're at it.)

