Re: [systemd-devel] systemd-socket-proxyd usage: remote's directly ping-/telnet-able, but via proxy "Network is unreachable"?
> The PrivateNetwork=yes will lock your service into its own virtual > network without any connectivity outside (it will contain only a > single loopback device). Drop this like and it should > work. Yep, Thanks. Inbound traffic via the staticIP now works exactly as intended -- mail is received at/by the mailserver @ its LAN ip. Outbound from the mailserver, however, does not send via the proxy link. IIUC, the proxy link IS bi-directional. But I suspect I've made an invalid assumption about what that means and what gets set up. It appears there's link doesn't listen TO the lan IP end -- so as to be able to send/return traffic FROM the mailserver. Do I need to additionally add the mirror systemd socket+service on the mailserver box (listemstream @ lanip, exec/forward to real IP @ VPS)? Or is that best dealt with another change on the mailserver box -- route, vpn forward, NAT rule etc? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemd-socket-proxyd usage: remote's directly ping-/telnet-able, but via proxy "Network is unreachable"?
Simple fix. As usual, 5 minutes after posting ... With a helpful prod @ #irc to look at what PrivateNetwork does @ http://www.freedesktop.org/software/systemd/man/systemd.exec.html "If true, sets up a new network namespace for the executed processes and configures only the loopback network device "lo" inside it." Then changing, - PrivateNetwork=yes + PrivateNetwork=no does the trick. Remote SMTP now accessible over the establish proxy link. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemd-socket-proxyd usage: remote's directly ping-/telnet-able, but via proxy "Network is unreachable"?
I'm attempting to use systemd's socket-proxyd to forward a static IP on a VPS, over a VPN to a mailserver at a remote office location, listening at a NAT'd, internal IP. The mailserver listens @ IP = 10.2.2.12. The staticIP at the VPS is IP = 111.222.333.444 The VPS's staticIP is pingable from the VPS ping -c 1 111.222.333.444 PING 111.222.333.444 (111.222.333.444) 56(84) bytes of data. 64 bytes from 111.222.333.444: icmp_seq=1 ttl=64 time=0.060 ms --- 111.222.333.444 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.060/0.060/0.060/0.000 ms The office's mailserver is pingable over the VPN link ping -c 1 10.2.2.12 PING 10.2.2.12 (10.2.2.12) 56(84) bytes of data. 64 bytes from 10.2.2.12: icmp_seq=1 ttl=63 time=46.8 ms --- 10.2.2.12 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 46.817/46.817/46.817/0.000 ms I can connect to the SMTP server from the VPS as well telnet 10.2.2.12 25 Trying 10.2.2.12... Connected to 10.2.2.12. Escape character is '^]'. 220 mx.mydomain.com ESMTP . No UCE permitted. ^] telnet> quit Connection closed. Cribbing from the nginx examples at http://www.freedesktop.org/software/systemd/man/systemd-socket-proxyd.html I've created a socket unit to listen on the staticIP cat /etc/systemd/system/proxy-to-mailserver.socket [Socket] ListenStream=111.222.333.444:25 [Install] WantedBy=sockets.target and a service unit to forward the traffic to the mailserver listener cat /etc/systemd/system/proxy-to-mailserver.service [Unit] Requires=openvpn.service After=openvpn.service [Service] ExecStart=/usr/lib/systemd/systemd-socket-proxyd 10.2.2.12:25 PrivateTmp=yes PrivateNetwork=yes Enable/start of the socket works systemctl enable proxy-to-mailserver.socket systemctl start proxy-to-mailserver.socket systemctl status proxy-to-mailserver.socket proxy-to-mailserver.socket Loaded: loaded (/etc/systemd/system/proxy-to-mailserver.socket; enabled) Active: active (listening) since Wed 2015-05-13 21:22:41 PDT; 2min 37s ago Listen: 111.222.333.444:25 (Stream) IIUC, at this point I should be able to connect to the mailserver @ the forwarded staticIP. But, at the VPS, the connection is immediately dropped telnet 111.222.333.444 25 Trying 111.222.333.444... Connected to 111.222.333.444. Escape character is '^]'. Connection closed by foreign host. and @ `journalctl -f`, May 13 21:36:57 edge.mydomain.com systemd-socket-proxyd[5291]: Failed to connect to remote host: Network is unreachable I'm not clear why I'm seeing "Network is unreachable" when the remote host is clearly pingable and accessible via telnet. I suspect 'PrivateNetwork' may have a hand in it, but I'm fuzzy on usage. What's missing or incorrect about that ^^ scenario/usage? Thanks. pgnd ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Request for clarification of use & implementation of new (systemd >= v214) "network-pre.target"
systemd v214 introduced the new network-related target, "network-pre.target". It cleanly provides a convenient and timley pre-network state trigger for Before= use in unit ordering. As originally conceived, and currently implemented, it's of particular use for secure, early init of firewalls, http://lists.freedesktop.org/archives/systemd-commits/2014-June/006332.html commit a4a878d04045b46fa9783664e3643a890b356790 Author: Lennart Poettering Date: Wed Jun 11 11:33:02 2014 +0200 units: introduce network-pre.target as place to hook in firewalls ... This target, specifically, started interest/discussion in its correct use for shorewall SW 4.6.4+' systemd service files' Before=/After= dependency on 'network.target' -- should that be 'network-pre.target' and 'network-online.target'? http://comments.gmane.org/gmane.comp.security.shorewall/31879 It was pointed out later in that same thread, http://permalink.gmane.org/gmane.comp.security.shorewall/31885 that not all distros have currently, nor in the immediate future, plans for up-to-date systemd. openSUSE, e.g., has available, &/or will use, v210 for openSUSE versions 13.1, 13.2 & Factory. Reviewing the commit implementing network-pre.target, above, it looks relatively simple, and was suggested in #systemd to apply the change as a patch to existing systemd implementation. To that end, I raised a request at the distro to do so, https://bugzilla.suse.com/show_bug.cgi?id=900505 Bug 900505 - Base:System/systemd: Bug Request to add upstream's patch to include v214's new 'network-pre.target' for early/secure pre-network dependency activation of firewall services Atm in that discussion, there's some confusion. If there's any possibilty of participation from here at/about that bug to help clarify what can/should be done, it'd be appreciated. At the very least, it'd be helpful to get some specific clarification here re: (1) Can the aforementioned patch be safely/cleanly applied to a v210 tree? (2) Is systemd-networkd service required to be active to correctly support/detect network state on system startup, and properly trigger network-pre.target at the right time? It does not appear to be required for either network.target, or network-online.target ... (3) This https://wiki.archlinux.org/index.php/systemd-networkd but not these http://www.freedesktop.org/software/systemd/man/systemd-networkd.service.html http://www.freedesktop.org/software/systemd/man/systemd.network.html explicitly states that " ... This service (systemd-networkd) can run alongside your usual network management tool ... " IIUC, that suggests that systemd-networkd can be started in a detect-only mode, e.g., if no .network or .netdev are specified, leaving network & interface startup to ohter mechanisms (not theat I see the benefit in doing so; nonetheless ...). Is that correct? Thanks. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel