El Sun, 8 de Jun 2014 a las 11:44 AM, Leonid Isaev
<[email protected]> escribió:
Hi,
On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
Date: Sun, 08 Jun 2014 12:33:44 +0000
From: Rusty Bird <[email protected]>
To: [email protected]
Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to
avoid firewall leaks
Leonid Isaev:
> But by the time network.target is reached there are no listening
services yet,
> are there? So, why would one need a firewall?
Adding to Djalal's and Mantas's examples, the systemd host may also
be a gateway with its firewall configured to forward only *some*
packets.
Rusty
Thanks for an explanation, but this is exactly what I don't
understand. But
please note, that I agree with you that firewall must be enabled as
early as
possible during boot...
If systemd itself is a server (you mean journald really, yes?), how
can I
protect the machine with yet another target? Why there is no way to
tell
systemd directly to start listening only after network.target is up?
On a related note, what do you do about things like sshd.socket (or
crap likecups.socket) which are not ordered against anything
network-related?
Because the firewall comes up before the network interfaces, no
connection can possibly be created before the firewall is configured.
The result is that even though systemd is listening on cups.socket or
sshd.socket, once a remote connection is established, the firewall will
already be configured.
Hope that helps,
--
Cameron Norman
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
