« Back to Settings for systemd units

PrivateNetwork setting

The property PrivateNetwork is a systemd unit setting used for sandboxing.

Purpose: Defines if access to the network interfaces of the host is possible

Why and when to use PrivateNetwork

With the systemd unit setting PrivateNetwork a new network namespace can be defined. If enabled, then this means that all network interfaces will be invisible to the service. Only a local interface ’lo’ will be available, preventing any network communications with the host.

Generic advice

For most services PrivateNetwork=yes is not an option when network communication is required. This option may however be useful for scripts that do not need any network access.

Caveats

Setting PrivateNetwork to yes will also set PrivateMounts to yes, unless PrivateMounts=no is specified. Before turning this on, investigate the impact of PrivateMounts.

If two services still need to communicate to each other, then this is possible using the JoinsNamespaceOf setting.

Testing

To see if a program works with this property, consider using the systemd-run command.

With the default boolean value of ’no’, all links will be visible.

# systemd-run --pty --property=PrivateNetwork=no ip link
Running as unit: run-p3085-i3385.service
Press ^] three times within 1s to disconnect TTY.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 52:52:52:bd:bd:bd brd ff:ff:ff:ff:ff:ff
    altname enx525252bdbdbd

When set to boolean value ‘yes’, only the local interface will show up.

# systemd-run --pty --property=PrivateNetwork=yes ip link
Running as unit: run-p3079-i3379.service; invocation ID: fec3a19e27ba4226aeaba5a50a869b1e
Press ^] three times within 1s to disconnect TTY.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Trying to ping a local device on the network will fail.

systemd-run --pty --property=PrivateNetwork=yes ping -c 1 192.168.1.1
Running as unit: run-p3106-i3406.service
Press ^] three times within 1s to disconnect TTY.
/usr/bin/ping: connect: Network is unreachable

Values

Systemd unit setting PrivateNetwork expects a boolean (yes/no or true/false).

Values for systemd unit setting PrivateNetwork
ValueIntended actionAvailable since
systemd version
nonormal access to network interfaces - default33
yescreate new network namespace, service will have no access to network interfaces of the host system33

Example to show the current value of PrivateNetwork for the ssh service:

systemctl show --property=PrivateNetwork ssh.service

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.