PrivateNetwork is a nice feature but I couldn’t find a good guide on exposing certain ports via loopback but not the whole interface. For example I still want to reverse-proxy to my service and allow it to talk to my Database (without using socket files), without giving access to everything else that exists on lo.
I haven’t fine-tuned my services that much yet. But if I wanted to solve this problem I might try to look into nftables, to firwall lo, I would say.
But nftables is only for in/out firewalling, not for locking down certain services from otherwise open ports via private interfaces. Systemd can do that, but in the guides I found you had to put the related services into the same interface.
That’s true. It’s not optimal but with meta skuid you can lock out a port from other users. It is not as granular as services, but if you follow a 1 to 1 user<->service mapping, it is almost equivalent.