Comment 13 for bug 1511869

It would appear a solution to the firewall being open before shorewall start is to use the 'shorewall-init' package.

 http://shorewall.net/Shorewall-init.html

The extra init package closes the firewall prior to shorewall startup avoiding that issue (assuming you set the product in /etc/default/shorewall)

It would also be wise to set safestop=1 as per the advice on the page as Debian based systems drop the firewall before halt.

I tested my restart while pinging with shorewall blocking ICMP, never got a reply so I assume it works and blocks network before shorewall fires up.

I haven't tried testing the Deb service file using network-pre.target as the above appears to be working nicely. I may do this later if curious.