[systemd-devel] Adding "After=network-online.target" via drop-in
Reindl Harald
h.reindl at thelounge.net
Sun Feb 19 12:42:58 UTC 2017
Am 19.02.2017 um 13:34 schrieb Mantas Mikulėnas:
> On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequipeno at gmail.com
> <mailto:arequipeno at gmail.com>> wrote:
>
> I have configured sshd on my firewall to listen only on its internal
> IP address. This is causing it to fail when it first starts, since the
> IP address is not actually configured yet.
>
> I have confirmed that adding network-online.target to the After=... line
> in sshd.service file works, but I know that using a drop-in is the
> preferred way of doing this.
>
> I haven't been able to find clear documentation of whether files in the
> drop-in directory are "incremental" or not.
>
>
> All multi-valued parameters are incremental.
>
> Alternatively, you could use sshd.socket (socket-activation) with
> FreeBind=yes -- that way Linux would allow the socket to be bound even
> if the address isn't configured yet.
>
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least
> for IPv4, Linux considers the addresses as belonging to the whole host,
> and will still accept connections from any interface. (I tested this
> just a while ago.) So changing the listen-addr is not a good security
> measure, you *still* need the corresponding firewall rules (filtering by
> source IP)
i guess you tested that from the local host itself and not from the
outside because this is *not* true
on the local machine things are different like reject a specific port
for the "lo" interface but "telnet lan-address port" is also refused
More information about the systemd-devel
mailing list