On Sun, 19.02.17 14:34, Mantas Mikulėnas (graw...@gmail.com) wrote: > On Sat, Feb 18, 2017 at 10:32 PM, Ian Pilcher <arequip...@gmail.com> wrote: > > > I have configured sshd on my firewall to listen only on its internal > > IP address. This is causing it to fail when it first starts, since the > > IP address is not actually configured yet. > > > > I have confirmed that adding network-online.target to the After=... line > > in sshd.service file works, but I know that using a drop-in is the > > preferred way of doing this. > > > > I haven't been able to find clear documentation of whether files in the > > drop-in directory are "incremental" or not. > > > > All multi-valued parameters are incremental. > > Alternatively, you could use sshd.socket (socket-activation) with > FreeBind=yes -- that way Linux would allow the socket to be bound even if > the address isn't configured yet. > > That said... listening only on internal addresses doesn't mean the > connections will be accepted only from internal interfaces -- at least for > IPv4, Linux considers the addresses as belonging to the whole host, and > will still accept connections from any interface. (I tested this just a > while ago.) So changing the listen-addr is not a good security measure, you > *still* need the corresponding firewall rules (filtering by source IP).
An efficient way to mask all traffic coming in from other interfaces is by using BindToDevice= in the socket file. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
