Am 19.02.2017 um 13:34 schrieb Mantas Mikulėnas:
On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequip...@gmail.com <mailto:arequip...@gmail.com>> wrote:I have configured sshd on my firewall to listen only on its internal IP address. This is causing it to fail when it first starts, since the IP address is not actually configured yet. I have confirmed that adding network-online.target to the After=... line in sshd.service file works, but I know that using a drop-in is the preferred way of doing this. I haven't been able to find clear documentation of whether files in the drop-in directory are "incremental" or not. All multi-valued parameters are incremental. Alternatively, you could use sshd.socket (socket-activation) with FreeBind=yes -- that way Linux would allow the socket to be bound even if the address isn't configured yet. That said... listening only on internal addresses doesn't mean the connections will be accepted only from internal interfaces -- at least for IPv4, Linux considers the addresses as belonging to the whole host, and will still accept connections from any interface. (I tested this just a while ago.) So changing the listen-addr is not a good security measure, you *still* need the corresponding firewall rules (filtering by source IP)
i guess you tested that from the local host itself and not from the outside because this is *not* true
on the local machine things are different like reject a specific port for the "lo" interface but "telnet lan-address port" is also refused
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
