Hi, On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote: > Date: Sun, 08 Jun 2014 12:33:44 +0000 > From: Rusty Bird <[email protected]> > To: [email protected] > Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid > firewall leaks > > Leonid Isaev: > > But by the time network.target is reached there are no listening services > > yet, > > are there? So, why would one need a firewall? > > Adding to Djalal's and Mantas's examples, the systemd host may also be > a gateway with its firewall configured to forward only *some* packets. > > Rusty >
Thanks for an explanation, but this is exactly what I don't understand. But
please note, that I agree with you that firewall must be enabled as early as
possible during boot...
If systemd itself is a server (you mean journald really, yes?), how can I
protect the machine with yet another target? Why there is no way to tell
systemd directly to start listening only after network.target is up?
On a related note, what do you do about things like sshd.socket (or crap like
cups.socket) which are not ordered against anything network-related?
Cheers,
--
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4
C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
pgpXEGuY4qxtS.pgp
Description: PGP signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
