« Back to Settings for systemd units

SocketBindDeny setting

This systemd unit setting was added since systemd 249.

Purpose: restricts address families, transport protocols, and/or ports to bind() to a socket

Why and when to use SocketBindDeny

The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind on a network socket.


If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed.

By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.

Both SocketBindAllow and SocketBindDeny use a bind-rule in the following format: [address-family:][transport-protocol:][ip-ports] | any

Address family

Optional, will match all address families if not specified. If specified, then the valid options for the address family are:

  • ipv4
  • ipv6

Transport protocol

Optional, whill match all transport protocol if not specified. If specified, then the valid options for the transport protocol are:

  • tcp
  • udp

IP ports

IP ports can be specified as a single port or a range, optionally with an address family or transport protocol. The IP port or port range is also optional, as SocketBindAllow and SocketBindDeny allow specifying one of the other filter alone.


The ‘any’ keyword is reserved as a wildcard. It will match all combinations of address families, transport protocols, and ports.

Generic advice

This setting is powerful to restrict what ports or protocols can be used. When possible set the value to ‘any’ and then open ports with SocketBindAllow. This way ports are restricted and are a good foundation for firewall rules.


Deny all, execept for ports 2000 and 3000.


Deny all

Used alone (deny-list), this can prevent any bindings.


Block only IPv6

Used alone (deny-list), block all IPv6 ports for binding.



Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon