Networking
SocketBindAllow setting
Allow systemd units to use system call bind() on sockets specified with the unit setting SocketBindAllow.
Summary
Why and when to use SocketBindAllow The setting SocketBindAllow is used together with SocketBindDeny and defines restrictions on the usage of the system call bind on a network socket. Settings Both SocketBindAllow and SocketBindDeny use a bind-rule. See SocketBindDeny for the details. Generic advice This setting is useful in combination with SocketBindDeny to create an allow-list. Examples Allow binding on TCP port 80 [Service] SocketBindDeny=any SocketBindAllow=tcp:80 Allow binding on port 443 (IPv4/IPv6, TCP/UDP)
SocketBindDeny setting
Restrict systemd units to use system call bind() on sockets specified with the unit setting SocketBindDeny.
Summary
Why and when to use SocketBindDeny The setting SocketBindDeny can be used alone or together with SocketBindAllow to set restrictions on the usage of the system call bind on a network socket. Settings If the SocketBindDeny list is used alone, then it is a deny-list. Everything except the defined ports/protocols will be allowed. By defining the value ‘any’, all combinations are denied. This is typically used in combination with SocketBindAllow to open up one or more ports.
RestrictAddressFamilies setting
Restrict systemd units using only specified socket address families with the unit setting RestrictAddressFamilies.
Summary
Why and when to use RestrictAddressFamilies The setting RestrictAddressFamilies aims to restrict what socket address families can be used. When using it, the default is that it is used as an allow-list and define what address families can be used. Settings When this setting is not configured, there are no restrictions to what address families can be used. Setting the value to none will block all address families. To block specific address families only, a ~ can be used to turn the allow-list into a deny-list.
Nstat
The command nstat provides network interface statistics and can be used for monitoring and troubleshooting.
Summary
Users of the command-line are typically aware of the netstat command. The package that netstat belongs to is getting deprecated and slowly replaced with tools like ip. This is also where nstat comes in, a more modern approach to pulling in data from the kernel. Another benefit is that it can retrieve more information than netstat. This is due to the static list of metrics that netstat looks for, while nstat will parse output files from /proc.
Tcpdump cheat sheet
Get more information out of the tcpdump tool using this cheat sheet. Find everything that is going on the network and your Linux systems.
Summary
No network packet will remain hidden
Ip cheat sheet
Want to see or configure every piece of information about networking, including routing on Linux? Forget tools like netstat and learn using the ip command.
Summary
No more networking secrets
Ss cheat sheet
If you want to learn more about network connections on Linux, then ss is the tool to get the job done. Learn how to use it with this cheat sheet.
Summary
Reveal all those sockets