51 lines
1.1 KiB
SYSTEMD
51 lines
1.1 KiB
SYSTEMD
|
[Unit]
|
||
|
|
Description=Fourth - Layer 4 proxy
|
||
|
|
|
||
|
|
After=network-online.target
|
||
|
|
Wants=network-online.target
|
||
|
|
|
||
|
|
[Install]
|
||
|
|
WantedBy=default.target
|
||
|
|
|
||
|
|
[Service]
|
||
|
|
Type=simple
|
||
|
|
|
||
|
|
# Allow read-only access to the config directory
|
||
|
|
ReadOnlyPaths=/etc/fourth
|
||
|
|
# Path to the binary
|
||
|
|
ExecStart=/usr/local/bin/fourth
|
||
|
|
|
||
|
|
# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports
|
||
|
|
# When using ports above 1024, these should be made empty
|
||
|
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||
|
|
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||
|
|
|
||
|
|
# Run as a dynamic user
|
||
|
|
DynamicUser=yes
|
||
|
|
|
||
|
|
# Security
|
||
|
|
PrivateTmp=yes
|
||
|
|
PrivateDevices=yes
|
||
|
|
ProtectSystem=strict
|
||
|
|
ProtectHome=yes
|
||
|
|
SystemCallFilter=@basic-io @file-system @network-io @system-service
|
||
|
|
SystemCallFilter=~@privileged
|
||
|
|
SystemCallFilter=~@resources
|
||
|
|
NoNewPrivileges=yes
|
||
|
|
ProtectProc=invisible
|
||
|
|
RemoveIPC=yes
|
||
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
||
|
|
RestrictNamespaces=yes
|
||
|
|
ProtectHostname=yes
|
||
|
|
ProtectClock=yes
|
||
|
|
ProtectKernelModules=yes
|
||
|
|
ProtectKernelLogs=yes
|
||
|
|
ProtectControlGroups=yes
|
||
|
|
LockPersonality=yes
|
||
|
|
MemoryDenyWriteExecute=yes
|
||
|
|
RestrictRealtime=yes
|
||
|
|
ProcSubset=pid
|
||
|
|
UMask=0077
|
||
|
|
SystemCallArchitectures=native
|
||
|
|
RestrictSUIDSGID=yes
|
||
|
|
ProtectKernelTunables=yes
|