SocketBindAllow setting
This article has last been updated at .
The property SocketBindAllow is a systemd unit setting used for sandboxing. It is available since systemd 249.
Purpose: define which address families, transport protocols, and/or ports are allowed to bind() to a socket
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Why and when to use SocketBindAllow
The setting SocketBindAllow is used together with SocketBindDeny and defines restrictions on the usage of the system call bind(2) on a network socket.
Settings
Both SocketBindAllow and SocketBindDeny use a bind-rule. See SocketBindDeny for the details.
Generic advice
This setting is useful in combination with SocketBindDeny to create an allow-list.
Examples
Allow binding on TCP port 80 can be defined by first deny all protocols and ports, followed by the allowed protocol and port combination.
[Service]
SocketBindDeny=any
SocketBindAllow=tcp:80
Allow binding on port 443 on all protocols (IPv4/IPv6, TCP/UDP).
[Service]
SocketBindDeny=any
SocketBindAllow=443
Related hardening profiles
The systemd unit setting SocketBindAllow is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
