On 02/19/2017 06:34 AM, Mantas Mikulėnas wrote:
That said... listening only on internal addresses doesn't mean the connections will be accepted only from internal interfaces -- at least for IPv4, Linux considers the addresses as belonging to the whole host, and will still accept connections from any interface. (I tested this just a while ago.) So changing the listen-addr is not a good security measure, you *still* need the corresponding firewall rules (filtering by source IP).
That's a great point. In my case the internal address is non-routable, so listening on only that address does add at least some level of difficulty for a hypothetical attacker. Always good to remember this counter-intuitive (IMO) behavior. -- ======================================================================== Ian Pilcher arequip...@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel