There are. You have socket-activated services, and you have services that bind to 0.0.0.0 or ::, and you have services that make use of IP_FREEBIND to avoid having to wait for addresses to be assigned... -- Mantas Mikulėnas <<a href="mailto:grawity@gmail.com">grawity@gmail.com</a>> <div class="gmail_quote">On Jun 8, 2014 2:27 AM, "Leonid Isaev" <<a href="mailto:lisaev@umail.iu.edu">lisaev@umail.iu.edu</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Sun, Jun 08, 2014 at 01:07:38AM +0200, Zbigniew Jędrzejewski-Szmek wrote: > Date: Sun, 8 Jun 2014 01:07:38 +0200 > From: Zbigniew Jędrzejewski-Szmek <<a href="mailto:zbyszek@in.waw.pl">zbyszek@in.waw.pl</a>> > To: Michael Biebl <<a href="mailto:mbiebl@gmail.com">mbiebl@gmail.com</a>> > Cc: systemd Mailing List <<a href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.freedesktop.org</a>> > Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid > firewall leaks > User-Agent: Mutt/1.5.20 (2009-06-14) > > On Sun, Jun 08, 2014 at 12:55:55AM +0200, Michael Biebl wrote: > > Could you elaborate why Before=network.target is too late? > Because then network setup races with e.g. iptables setup. Depending > on the timing, a window in which the network has been set up, but > the firewall is not yet in place. But by the time network.target is reached there are no listening services yet, are there? So, why would one need a firewall? Thanks, Leonid. -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D _______________________________________________ systemd-devel mailing list <a href="mailto:systemd-devel@lists.freedesktop.org">systemd-devel@lists.freedesktop.org</a> <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" target="_blank">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a> </blockquote></div>