[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Mantas Mikulėnas
grawity at gmail.com
Sat Jun 7 16:57:26 PDT 2014
There are. You have socket-activated services, and you have services that
bind to 0.0.0.0 or ::, and you have services that make use of IP_FREEBIND
to avoid having to wait for addresses to be assigned...
--
Mantas Mikulėnas <grawity at gmail.com>
On Jun 8, 2014 2:27 AM, "Leonid Isaev" <lisaev at umail.iu.edu> wrote:
> On Sun, Jun 08, 2014 at 01:07:38AM +0200, Zbigniew Jędrzejewski-Szmek
> wrote:
> > Date: Sun, 8 Jun 2014 01:07:38 +0200
> > From: Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>
> > To: Michael Biebl <mbiebl at gmail.com>
> > Cc: systemd Mailing List <systemd-devel at lists.freedesktop.org>
> > Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid
> > firewall leaks
> > User-Agent: Mutt/1.5.20 (2009-06-14)
> >
> > On Sun, Jun 08, 2014 at 12:55:55AM +0200, Michael Biebl wrote:
> > > Could you elaborate why Before=network.target is too late?
> > Because then network setup races with e.g. iptables setup. Depending
> > on the timing, a window in which the network has been set up, but
> > the firewall is not yet in place.
>
> But by the time network.target is reached there are no listening services
> yet,
> are there? So, why would one need a firewall?
>
> Thanks,
> Leonid.
>
> --
> Leonid Isaev
> GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
> C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140608/9d620ef8/attachment.html>
More information about the systemd-devel
mailing list