From 28feeaab7775878e6298ba714edb631d510902cc Mon Sep 17 00:00:00 2001 From: Alexander Tomokhov Date: Fri, 30 Jun 2023 20:04:27 +0400 Subject: [PATCH] blocking outgoing connections - not achievable by systemd --- article.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/article.md b/article.md index 75af914..5805eb9 100644 --- a/article.md +++ b/article.md @@ -150,6 +150,8 @@ systemd.service = { `MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation. +### blocking network connections + #### blocking all network connections except localhost This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above. @@ -161,9 +163,9 @@ systemd.services.netdata.serviceConfig = { }; ``` -#### blocking outgoing internet connections +#### blocking outgoing internet connections (not achievable by systemd options) -The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, unfortunatelly systemd is not capable of such granular control. So, `iptables` configuration will be aimed at a specific user, which runs the service: +The idea here is to keep responding to incoming requests for a service, but forbid any outgoing connections, initiated by itself. When it comes to a more sophisticated firewall, systemd is not capable of such granular control. So, `iptables` configuration will be aimed at a specific user, which runs the service: ```nix networking.firewall = {