« Back to Settings for systemd units

SocketBindDeny setting

This systemd unit setting was added since systemd 249.

Purpose: restricts address families, transport protocols, and/or ports to bind() to a socket

Why and when to use SocketBindDeny

The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind on a network socket.

Settings

If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed.

By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.

Both SocketBindAllow and SocketBindDeny use a bind-rule in the following format: [address-family:][transport-protocol:][ip-ports] | any

Address family

Optional, will match all address families if not specified. If specified, then the valid options for the address family are:

  • ipv4
  • ipv6

Transport protocol

Optional, whill match all transport protocol if not specified. If specified, then the valid options for the transport protocol are:

  • tcp
  • udp

IP ports

IP ports can be specified as a single port or a range, optionally with an address family or transport protocol. The IP port or port range is also optional, as SocketBindAllow and SocketBindDeny allow specifying one of the other filter alone.

Any

The ‘any’ keyword is reserved as a wildcard. It will match all combinations of address families, transport protocols, and ports.

Generic advice

This setting is powerful to restrict what ports or protocols can be used. When possible set the value to ‘any’ and then open ports with SocketBindAllow. This way ports are restricted and are a good foundation for firewall rules.

Examples

Deny all, execept for ports 2000 and 3000.

[Service]
SocketBindDeny=any
SocketBindAllow=2000
SocketBindAllow=3000

Deny all

Used alone (deny-list), this can prevent any bindings.

[Service]
SocketBindDeny=any

Block only IPv6

Used alone (deny-list), block all IPv6 ports for binding.

[Service]
SocketBindDeny=ipv6

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon