Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Mon, 09 Jun 2014 08:31:41 -0700 

On Mon, Jun 09, 2014 at 07:57:29AM +0000, Rusty Bird wrote:
> Date: Mon, 09 Jun 2014 07:57:29 +0000
> From: Rusty Bird <[email protected]>
> To: [email protected]
> Subject: Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid
>  firewall leaks
> 
> Hi Leonid,
> 
> > On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote:
> 
> >> Adding to Djalal's and Mantas's examples, the systemd host may also be
> >> a gateway with its firewall configured to forward only *some* packets.
> 
> > If systemd itself is a server (you mean journald really, yes?)
> 
> "systemd host" = The machine that systemd runs on
> 
> In the example, this machine is a gateway/router, so it's the Linux
> kernel (not systemd itself or any service) that receives packets from
> other machines in your network and forwards them towards their
> destination.
> 
> > how can I
> > protect the machine with yet another target? Why there is no way to tell
> > systemd directly to start listening only after network.target is up?
> > 
> > On a related note, what do you do about things like sshd.socket (or crap 
> > like
> > cups.socket) which are not ordered against anything network-related?
> 
> network-pre.target is intended to block the initial configuration of
> the network interfaces (your Ethernet card, your WiFi radio) so that
> it doesn't matter what software component is listening for, or trying
> to send, packets: The machine remains cut off from all* network links
> until the firewall initialization succeeds.
> 
> * Except, if you bring up a network interface during "early boot", e.g.
> using the kernel parameter ip= or an initramfs. In that case, it's your
> own responsibility to bring it down before systemd takes over. If you
> care about leaks.

Cool. I see your point now.

Thanks,
Leonid.

-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D

Attachment: pgpM1WBQnbBym.pgp
Description: PGP signature

_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to