[Unit]
Description=SYN Scan Detection Firewall
Documentation=https://
After=network.target network-online.target
Requires=network-online.target
ConditionPathExists=/usr/local/bin/SYN-Scan-Firewall
AssertPathExists=/etc/SYN-Scan-firewall/config.yaml
AssertFileIsExecutable=/usr/local/bin/SYN-Scan-Firewall

[Service]
Type=notify
User=synfirewall
Group=synfirewall
WorkingDirectory=/var/lib/syn-firewall

# Hardened execution
ExecStart=/usr/local/bin/SYN-Scan-Firewall
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5s
TimeoutStopSec=30s
KillSignal=SIGTERM
KillMode=process

# Capabilities (minimal)
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW

# Security confinement
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
PrivateDevices=true
PrivateUsers=true
ProtectHostname=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
RemoveIPC=true

# Memory protection
MemoryDenyWriteExecute=true
SystemCallFilter=@system-service @network-io @signal
SystemCallArchitectures=native
UMask=0077

# Network restrictions
IPAddressDeny=any
IPAddressAllow=localhost
IPAddressAllow=127.0.0.1
IPAddressAllow=::1

# Resource limits
LimitNOFILE=4096
LimitNPROC=64
LimitMEMLOCK=64K
LimitSTACK=8M

[Install]
WantedBy=multi-user.target