
 * debian/{postinst,postrm}: ship a symlink to /dev/null as
   /lib/systemd/system/uruk.service since the uruk init script is not
   applicable in systemd: we use ifupdown.  Fixes "uruk: Has init script in
   runlevel S but no matching service file".  Thanks fsateler@d.o.
   Closes: #796700

 # systemd #796700 - uruk: Has init script in runlevel S but no matching service file
 # "[...] the script is simply not applicable in systemd, in which case the package
 # should ship a symlink to /dev/null as /lib/systemd/system/<initscript>.service."
 # https://wiki.debian.org/Teams/pkg-systemd/rcSMigration
 if ! test -L /lib/systemd/system/uruk.service
 then
     ln -s /dev/null /lib/systemd/system/uruk.service
 fi

https://wiki.debian.org/Teams/pkg-systemd/rcSMigration :

Your service is needed to configure firewalls or network interfaces

If you need to configure firewalls, network interfaces, or anything else which
needs to happen before bringing up the first network interface, then you should
order the service as follows (eg, if you need to run before ifupdown/networkd):

 [Unit]
 Description=An early boot service
 DefaultDependencies=no
 Wants=network-pre.target
 Before=network-pre.target shutdown.target
 Conflicts=shutdown.target


Lots of other ideas: drop default rule: "check if incoming traffic is targetted
at current IP": make it possible to have sane uruk rules _without_ knowing
current IP.   before any interface is up: drop all traffic, via init script or

---

Check out http://wiki.debian.org/FirewallByDefault and
http://wiki.debian.org/Firewalls .

Check out https://wiki.ubuntu.com/UbuntuFirewall

Add package tags to description using e.g. package browser:
http://debian.vitavonni.de/packagebrowser/?tags=security%2Cnetwork%2Csecurity%3A%3Afirewall
(it seems this can't yet be done in control file).

We might want to check /var/lib/uruk/iptables stuff on
purge/removal/reinstallation.  (Currently, it's kept on purge.)

Recheck http://women.alioth.debian.org/wiki/index.php/English/MaintainerScripts
.

Use doc-base for registering documentation, replace our md5sums generating
stuff with something like:
.
 while read f; do \
  exclude="$$exclude ! -path \".$$f\" "; \
 done < debian/conffiles; \
  cd debian/$(package); \
  find . -type f $$exclude ! -regex '.*/DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums;
.
This honors conffiles.  Or just call dh_md5sums...  (And we might choose to go
use debhelper for all the rest, or cdbs, while we're at it.)

