[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Rusty Bird
rustybird at openmailbox.org
Mon Jun 9 00:57:29 PDT 2014
Hi Leonid,
> On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
>> Adding to Djalal's and Mantas's examples, the systemd host may also be
>> a gateway with its firewall configured to forward only *some* packets.
> If systemd itself is a server (you mean journald really, yes?)
"systemd host" = The machine that systemd runs on
In the example, this machine is a gateway/router, so it's the Linux
kernel (not systemd itself or any service) that receives packets from
other machines in your network and forwards them towards their
destination.
> how can I
> protect the machine with yet another target? Why there is no way to tell
> systemd directly to start listening only after network.target is up?
>
> On a related note, what do you do about things like sshd.socket (or crap like
> cups.socket) which are not ordered against anything network-related?
network-pre.target is intended to block the initial configuration of
the network interfaces (your Ethernet card, your WiFi radio) so that
it doesn't matter what software component is listening for, or trying
to send, packets: The machine remains cut off from all* network links
until the firewall initialization succeeds.
* Except, if you bring up a network interface during "early boot", e.g.
using the kernel parameter ip= or an initramfs. In that case, it's your
own responsibility to bring it down before systemd takes over. If you
care about leaks.
Rusty
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140609/50b03e65/attachment.sig>
More information about the systemd-devel
mailing list