[systemd-devel] Adding "After=network-online.target" via drop-in
Ian Pilcher
arequipeno at gmail.com
Sun Feb 19 15:35:13 UTC 2017
On 02/19/2017 06:34 AM, Mantas Mikulėnas wrote:
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least
> for IPv4, Linux considers the addresses as belonging to the whole host,
> and will still accept connections from any interface. (I tested this
> just a while ago.) So changing the listen-addr is not a good security
> measure, you *still* need the corresponding firewall rules (filtering by
> source IP).
That's a great point. In my case the internal address is non-routable,
so listening on only that address does add at least some level of
difficulty for a hypothetical attacker.
Always good to remember this counter-intuitive (IMO) behavior.
--
========================================================================
Ian Pilcher arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
More information about the systemd-devel
mailing list