There are. You have socket-activated services, and you have services that bind to 0.0.0.0 or ::, and you have services that make use of IP_FREEBIND to avoid having to wait for addresses to be assigned...
-- Mantas Mikulėnas <[email protected]> On Jun 8, 2014 2:27 AM, "Leonid Isaev" <[email protected]> wrote: > On Sun, Jun 08, 2014 at 01:07:38AM +0200, Zbigniew Jędrzejewski-Szmek > wrote: > > Date: Sun, 8 Jun 2014 01:07:38 +0200 > > From: Zbigniew Jędrzejewski-Szmek <[email protected]> > > To: Michael Biebl <[email protected]> > > Cc: systemd Mailing List <[email protected]> > > Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid > > firewall leaks > > User-Agent: Mutt/1.5.20 (2009-06-14) > > > > On Sun, Jun 08, 2014 at 12:55:55AM +0200, Michael Biebl wrote: > > > Could you elaborate why Before=network.target is too late? > > Because then network setup races with e.g. iptables setup. Depending > > on the timing, a window in which the network has been set up, but > > the firewall is not yet in place. > > But by the time network.target is reached there are no listening services > yet, > are there? So, why would one need a firewall? > > Thanks, > Leonid. > > -- > Leonid Isaev > GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 > C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D > > _______________________________________________ > systemd-devel mailing list > [email protected] > http://lists.freedesktop.org/mailman/listinfo/systemd-devel > >
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
