SocketBindDeny setting
This systemd unit setting was added since systemd 249.
Purpose: restricts address families, transport protocols, and/or ports to bind() to a socket
Why and when to use SocketBindDeny
The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind on a network socket.
Settings
If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed.
By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.
Both SocketBindAllow and SocketBindDeny use a bind-rule in the following format: [address-family:][transport-protocol:][ip-ports] | any
Address family
Optional, will match all address families if not specified. If specified, then the valid options for the address family are:
- ipv4
- ipv6
Transport protocol
Optional, whill match all transport protocol if not specified. If specified, then the valid options for the transport protocol are:
- tcp
- udp
IP ports
IP ports can be specified as a single port or a range, optionally with an address family or transport protocol. The IP port or port range is also optional, as SocketBindAllow and SocketBindDeny allow specifying one of the other filter alone.
Any
The ‘any’ keyword is reserved as a wildcard. It will match all combinations of address families, transport protocols, and ports.
Generic advice
This setting is powerful to restrict what ports or protocols can be used. When possible set the value to ‘any’ and then open ports with SocketBindAllow. This way ports are restricted and are a good foundation for firewall rules.
Examples
Deny all, execept for ports 2000 and 3000.
[Service]
SocketBindDeny=any
SocketBindAllow=2000
SocketBindAllow=3000
Deny all
Used alone (deny-list), this can prevent any bindings.
[Service]
SocketBindDeny=any
Block only IPv6
Used alone (deny-list), block all IPv6 ports for binding.
[Service]
SocketBindDeny=ipv6