[systemd-devel] Adding "After=network-online.target" via drop-in

Ian Pilcher arequipeno at gmail.com
Sun Feb 19 15:35:13 UTC 2017


On 02/19/2017 06:34 AM, Mantas Mikulėnas wrote:
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least
> for IPv4, Linux considers the addresses as belonging to the whole host,
> and will still accept connections from any interface. (I tested this
> just a while ago.) So changing the listen-addr is not a good security
> measure, you *still* need the corresponding firewall rules (filtering by
> source IP).

That's a great point.  In my case the internal address is non-routable,
so listening on only that address does add at least some level of
difficulty for a hypothetical attacker.

Always good to remember this counter-intuitive (IMO) behavior.

-- 
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================


More information about the systemd-devel mailing list