[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Cameron Norman
camerontnorman at gmail.com
Sun Jun 8 16:00:38 PDT 2014
El Sun, 8 de Jun 2014 a las 11:44 AM, Leonid Isaev
<lisaev at umail.iu.edu> escribió:
> Hi,
>
> On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
>> Date: Sun, 08 Jun 2014 12:33:44 +0000
>> From: Rusty Bird <rustybird at openmailbox.org>
>> To: systemd-devel at lists.freedesktop.org
>> Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to
>> avoid firewall leaks
>>
>> Leonid Isaev:
>> > But by the time network.target is reached there are no listening
>> services yet,
>> > are there? So, why would one need a firewall?
>>
>> Adding to Djalal's and Mantas's examples, the systemd host may also
>> be a gateway with its firewall configured to forward only *some*
>> packets.
>>
>> Rusty
>>
>>
> Thanks for an explanation, but this is exactly what I don't
> understand. But
> please note, that I agree with you that firewall must be enabled as
> early as
> possible during boot...
>
> If systemd itself is a server (you mean journald really, yes?), how
> can I
> protect the machine with yet another target? Why there is no way to
> tell
> systemd directly to start listening only after network.target is up?
>
> On a related note, what do you do about things like sshd.socket (or
> crap likecups.socket) which are not ordered against anything
> network-related?
>
Because the firewall comes up before the network interfaces, no
connection can possibly be created before the firewall is configured.
The result is that even though systemd is listening on cups.socket or
sshd.socket, once a remote connection is established, the firewall will
already be configured.
Hope that helps,
--
Cameron Norman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140608/690db87f/attachment.html>
More information about the systemd-devel
mailing list