[systemd-devel] Adding "After=network-online.target" via drop-in

Reindl Harald h.reindl at thelounge.net
Sun Feb 19 12:42:58 UTC 2017


Am 19.02.2017 um 13:34 schrieb Mantas Mikulėnas:
> On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequipeno at gmail.com
> <mailto:arequipeno at gmail.com>> wrote:
>
>     I have configured sshd on my firewall to listen only on its internal
>     IP address.  This is causing it to fail when it first starts, since the
>     IP address is not actually configured yet.
>
>     I have confirmed that adding network-online.target to the After=... line
>     in sshd.service file works, but I know that using a drop-in is the
>     preferred way of doing this.
>
>     I haven't been able to find clear documentation of whether files in the
>     drop-in directory are "incremental" or not.
>
>
> All multi-valued parameters are incremental.
>
> Alternatively, you could use sshd.socket (socket-activation) with
> FreeBind=yes -- that way Linux would allow the socket to be bound even
> if the address isn't configured yet.
>
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least
> for IPv4, Linux considers the addresses as belonging to the whole host,
> and will still accept connections from any interface. (I tested this
> just a while ago.) So changing the listen-addr is not a good security
> measure, you *still* need the corresponding firewall rules (filtering by
> source IP)

i guess you tested that from the local host itself and not from the 
outside because this is *not* true

on the local machine things are different like reject a specific port 
for the "lo" interface but "telnet lan-address port" is also refused


More information about the systemd-devel mailing list