Chris's Wiki :: blog/linux/SystemdPortFirewallWish Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/SystemdPortFirewallWish?atomcommentsDWiki2022-06-19T00:43:02ZRecent comments in Chris's Wiki :: blog/linux/SystemdPortFirewallWish.By Haelwenn (lanodan) Monnier on /blog/linux/SystemdPortFirewallWishtag:CSpace:blog/linux/SystemdPortFirewallWish:ae4ee75c1be762fc2745fe21e2762bab230b8fcbHaelwenn (lanodan) Monnierhttps://hacktivis.me/<div class="wikitext"><p>Well here I strongly tend to have services running as their own user, using capabilities(7) when needed, so I then just restrict ports usage to specific users (something nftables allows, not sure about the other firewalling methods).</p>
</div>2022-06-19T00:43:02ZBy Chris Siebenmann on /blog/linux/SystemdPortFirewallWishtag:CSpace:blog/linux/SystemdPortFirewallWish:43a0397f4b183b81c76441b1b3aee9253c068321Chris Siebenmann<div class="wikitext"><p>That's pretty much it. I don't need all of the trimmings of TCP Wrappers,
but I certainly would like the very basic bit of per-port IP block/allow,
integrated with the application's general setup.</p>
<p>(TCP Wrappers had a lot of trimmings and some of them are the kind of
things that are both out of favour and hard to implement outside the
service itself, since they involved DNS lookups or even running other
programs. But mostly we used the basics.)</p>
</div>2022-06-13T16:13:32ZBy James on /blog/linux/SystemdPortFirewallWishtag:CSpace:blog/linux/SystemdPortFirewallWish:901210f369917d21c6c70b7c91ec4edfedc19eceJames<div class="wikitext"><p>I mean, it sounds a bit like you want TCP Wrappers from back in the inetd days.</p>
</div>2022-06-11T11:20:11Z