forked from alexoundos/articles
blocking outgoing connections - not achievable by systemd
parent
8121966ffc
commit
28feeaab77
|
@ -150,6 +150,8 @@ systemd.service = {
|
|||
|
||||
`MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation.
|
||||
|
||||
### blocking network connections
|
||||
|
||||
#### blocking all network connections except localhost
|
||||
|
||||
This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above.
|
||||
|
@ -161,9 +163,9 @@ systemd.services.netdata.serviceConfig = {
|
|||
};
|
||||
```
|
||||
|
||||
#### blocking outgoing internet connections
|
||||
#### blocking outgoing internet connections (not achievable by systemd options)
|
||||
|
||||
The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, unfortunatelly systemd is not capable of such granular control. So, `iptables` configuration will be aimed at a specific user, which runs the service:
|
||||
The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, systemd is not capable of such granular control. So, `iptables` configuration will be aimed at a specific user, which runs the service:
|
||||
|
||||
```nix
|
||||
networking.firewall = {
|
||||
|
|
Loading…
Reference in New Issue