[systemd-devel] Adding "After=network-online.target" via drop-in
Lennart Poettering
lennart at poettering.net
Mon Feb 20 16:41:03 UTC 2017
On Sun, 19.02.17 14:34, Mantas Mikulėnas (grawity at gmail.com) wrote:
> On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequipeno at gmail.com> wrote:
>
> > I have configured sshd on my firewall to listen only on its internal
> > IP address. This is causing it to fail when it first starts, since the
> > IP address is not actually configured yet.
> >
> > I have confirmed that adding network-online.target to the After=... line
> > in sshd.service file works, but I know that using a drop-in is the
> > preferred way of doing this.
> >
> > I haven't been able to find clear documentation of whether files in the
> > drop-in directory are "incremental" or not.
> >
>
> All multi-valued parameters are incremental.
>
> Alternatively, you could use sshd.socket (socket-activation) with
> FreeBind=yes -- that way Linux would allow the socket to be bound even if
> the address isn't configured yet.
>
> That said... listening only on internal addresses doesn't mean the
> connections will be accepted only from internal interfaces -- at least for
> IPv4, Linux considers the addresses as belonging to the whole host, and
> will still accept connections from any interface. (I tested this just a
> while ago.) So changing the listen-addr is not a good security measure, you
> *still* need the corresponding firewall rules (filtering by source IP).
An efficient way to mask all traffic coming in from other interfaces
is by using BindToDevice= in the socket file.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list