[systemd-devel] IPAddressDeny/IPAddressAllow is too limited ot be useful
Reindl Harald
h.reindl at thelounge.net
Sun Dec 23 01:17:35 UTC 2018
http://0pointer.net/blog/ip-accounting-and-access-lists-with-systemd.html
"All traffic from and to this address will be prohibited for processes
of the service" is nice in theory but let's say we have a internal
webserver which needs to make curl calls to the internet
IPAddressDeny=any
IPAddressAllow=localhost
IPAddressAllow=10.0.0.0/8
IPAddressAllow=192.168.0.0/16
IPAddressAllow=172.16.0.0/12
can not be used
IPAddressDenyIn=any
IPAddressAllowIn=localhost
IPAddressAllowIn=10.0.0.0/8
IPAddressAllowIn=192.168.0.0/16
IPAddressAllowIn=172.16.0.0/12
would be broadly useable
More information about the systemd-devel
mailing list