[systemd-devel] Adding "After=network-online.target" via drop-in
Mantas Mikulėnas
grawity at gmail.com
Sun Feb 19 12:34:18 UTC 2017
On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequipeno at gmail.com> wrote:
> I have configured sshd on my firewall to listen only on its internal
> IP address. This is causing it to fail when it first starts, since the
> IP address is not actually configured yet.
>
> I have confirmed that adding network-online.target to the After=... line
> in sshd.service file works, but I know that using a drop-in is the
> preferred way of doing this.
>
> I haven't been able to find clear documentation of whether files in the
> drop-in directory are "incremental" or not.
>
All multi-valued parameters are incremental.
Alternatively, you could use sshd.socket (socket-activation) with
FreeBind=yes -- that way Linux would allow the socket to be bound even if
the address isn't configured yet.
That said... listening only on internal addresses doesn't mean the
connections will be accepted only from internal interfaces -- at least for
IPv4, Linux considers the addresses as belonging to the whole host, and
will still accept connections from any interface. (I tested this just a
while ago.) So changing the listen-addr is not a good security measure, you
*still* need the corresponding firewall rules (filtering by source IP).
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170219/bbfa385c/attachment.html>
More information about the systemd-devel
mailing list