« Back to Settings for systemd units

SocketBindDeny setting

The property SocketBindDeny is a systemd unit setting used for sandboxing. It is available since systemd 249.

Purpose: restricts address families, transport protocols, and/or ports to bind() to a socket

Why and when to use SocketBindDeny

The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind(2) on a network socket.

Settings

If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed.

By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.

Both SocketBindAllow and SocketBindDeny use a bind-rule in the following format: [address-family:][transport-protocol:][ip-ports] | any

Address family

Optional, will match all address families if not specified. If specified, then the valid options for the address family are:

  • ipv4
  • ipv6

Transport protocol

Optional, while match all transport protocol if not specified. If specified, then the valid options for the transport protocol are:

  • tcp
  • udp

IP ports

IP ports can be specified as a single port or a range, optionally with an address family or transport protocol. The IP port or port range is also optional, as SocketBindAllow and SocketBindDeny allow specifying one of the other filter alone.

Any

The ‘any’ keyword is reserved as a wildcard. It will match all combinations of address families, transport protocols, and ports.

Generic advice

This setting is powerful to restrict what ports or protocols can be used. When possible set the value to ‘any’ and then open ports with SocketBindAllow. This way ports are restricted and are a good foundation for firewall rules.

Examples

Deny all, except for ports 2000 and 3000.

[Service]
SocketBindDeny=any
SocketBindAllow=2000
SocketBindAllow=3000

Deny all

Used alone (deny-list), this can prevent any bindings.

[Service]
SocketBindDeny=any

Block only IPv6

Used alone (deny-list), block all IPv6 ports for binding.

[Service]
SocketBindDeny=ipv6

Related hardening profiles

The systemd unit setting SocketBindDeny is used in the following hardening profiles.

Frequently Asked Questions

How to use systemctl edit?

Run systemctl with the 'edit' subcommand and service.

systemctl edit UNIT.service

See full answer at How to use systemctl edit to change a service?

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon