[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Leonid Isaev
lisaev at umail.iu.edu
Sun Jun 8 11:44:53 PDT 2014
Hi,
On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
> Date: Sun, 08 Jun 2014 12:33:44 +0000
> From: Rusty Bird <rustybird at openmailbox.org>
> To: systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid
> firewall leaks
>
> Leonid Isaev:
> > But by the time network.target is reached there are no listening services yet,
> > are there? So, why would one need a firewall?
>
> Adding to Djalal's and Mantas's examples, the systemd host may also be
> a gateway with its firewall configured to forward only *some* packets.
>
> Rusty
>
Thanks for an explanation, but this is exactly what I don't understand. But
please note, that I agree with you that firewall must be enabled as early as
possible during boot...
If systemd itself is a server (you mean journald really, yes?), how can I
protect the machine with yet another target? Why there is no way to tell
systemd directly to start listening only after network.target is up?
On a related note, what do you do about things like sshd.socket (or crap like
cups.socket) which are not ordered against anything network-related?
Cheers,
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140608/5157d40f/attachment.sig>
More information about the systemd-devel
mailing list