19.02.2017 15:34, Mantas Mikulėnas пишет: > On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequip...@gmail.com> wrote: > >> I have configured sshd on my firewall to listen only on its internal >> IP address. This is causing it to fail when it first starts, since the >> IP address is not actually configured yet. >> >> I have confirmed that adding network-online.target to the After=... line >> in sshd.service file works, but I know that using a drop-in is the >> preferred way of doing this. >> >> I haven't been able to find clear documentation of whether files in the >> drop-in directory are "incremental" or not. >> > > All multi-valued parameters are incremental. > > Alternatively, you could use sshd.socket (socket-activation) with > FreeBind=yes -- that way Linux would allow the socket to be bound even if > the address isn't configured yet. > > That said... listening only on internal addresses doesn't mean the > connections will be accepted only from internal interfaces -- at least for > IPv4, Linux considers the addresses as belonging to the whole host, and > will still accept connections from any interface. (I tested this just a > while ago.) So changing the listen-addr is not a good security measure, you > *still* need the corresponding firewall rules (filtering by source IP). >
What is the value of rp_filter sysctl on your interfaces (/proc/sys/net/ipv4/conf/*/rp_filter)? _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
