[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Leonid Isaev lisaev at umail.iu.edu
Mon Jun 9 08:30:35 PDT 2014


On Mon, Jun 09, 2014 at 07:57:29AM +0000, Rusty Bird wrote:
> Date: Mon, 09 Jun 2014 07:57:29 +0000
> From: Rusty Bird <rustybird at openmailbox.org>
> To: systemd-devel at lists.freedesktop.org
> Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid
>  firewall leaks
> 
> Hi Leonid,
> 
> > On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
> 
> >> Adding to Djalal's and Mantas's examples, the systemd host may also be
> >> a gateway with its firewall configured to forward only *some* packets.
> 
> > If systemd itself is a server (you mean journald really, yes?)
> 
> "systemd host" = The machine that systemd runs on
> 
> In the example, this machine is a gateway/router, so it's the Linux
> kernel (not systemd itself or any service) that receives packets from
> other machines in your network and forwards them towards their
> destination.
> 
> > how can I
> > protect the machine with yet another target? Why there is no way to tell
> > systemd directly to start listening only after network.target is up?
> > 
> > On a related note, what do you do about things like sshd.socket (or crap like
> > cups.socket) which are not ordered against anything network-related?
> 
> network-pre.target is intended to block the initial configuration of
> the network interfaces (your Ethernet card, your WiFi radio) so that
> it doesn't matter what software component is listening for, or trying
> to send, packets: The machine remains cut off from all* network links
> until the firewall initialization succeeds.
> 
> * Except, if you bring up a network interface during "early boot", e.g.
> using the kernel parameter ip= or an initramfs. In that case, it's your
> own responsibility to bring it down before systemd takes over. If you
> care about leaks.

Cool. I see your point now.

Thanks,
Leonid.

-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140609/7937b944/attachment.sig>


More information about the systemd-devel mailing list