Hi Leonid, > On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
>> Adding to Djalal's and Mantas's examples, the systemd host may also be >> a gateway with its firewall configured to forward only *some* packets. > If systemd itself is a server (you mean journald really, yes?) "systemd host" = The machine that systemd runs on In the example, this machine is a gateway/router, so it's the Linux kernel (not systemd itself or any service) that receives packets from other machines in your network and forwards them towards their destination. > how can I > protect the machine with yet another target? Why there is no way to tell > systemd directly to start listening only after network.target is up? > > On a related note, what do you do about things like sshd.socket (or crap like > cups.socket) which are not ordered against anything network-related? network-pre.target is intended to block the initial configuration of the network interfaces (your Ethernet card, your WiFi radio) so that it doesn't matter what software component is listening for, or trying to send, packets: The machine remains cut off from all* network links until the firewall initialization succeeds. * Except, if you bring up a network interface during "early boot", e.g. using the kernel parameter ip= or an initramfs. In that case, it's your own responsibility to bring it down before systemd takes over. If you care about leaks. Rusty
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
