[systemd-devel] Adding "After=network-online.target" via drop-in

Andrei Borzenkov arvidjaar at gmail.com
Sun Feb 19 16:56:37 UTC 2017


19.02.2017 15:34, Mantas Mikulėnas пишет:
> On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequipeno at gmail.com> wrote:
> 
>> I have configured sshd on my firewall to listen only on its internal
>> IP address.  This is causing it to fail when it first starts, since the
>> IP address is not actually configured yet.
>>
>> I have confirmed that adding network-online.target to the After=... line
>> in sshd.service file works, but I know that using a drop-in is the
>> preferred way of doing this.
>>
>> I haven't been able to find clear documentation of whether files in the
>> drop-in directory are "incremental" or not.
>>
> 
> All multi-valued parameters are incremental.
> 
> Alternatively, you could use sshd.socket (socket-activation) with
> FreeBind=yes -- that way Linux would allow the socket to be bound even if
> the address isn't configured yet.
> 
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least for
> IPv4, Linux considers the addresses as belonging to the whole host, and
> will still accept connections from any interface. (I tested this just a
> while ago.) So changing the listen-addr is not a good security measure, you
> *still* need the corresponding firewall rules (filtering by source IP).
> 

What is the value of rp_filter sysctl on your interfaces
(/proc/sys/net/ipv4/conf/*/rp_filter)?


More information about the systemd-devel mailing list