[Unit]
Description=Portscan Firewall Banner Service
After=network.target
ConditionPathExists=/usr/local/bin/banner_service
ConditionCapability=CAP_NET_BIND_SERVICE

[Service]
Type=simple
User=bannersvc
Group=bannersvc
WorkingDirectory=/var/lib/banner-service
ExecStart=/usr/local/bin/banner_service
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
MemoryDenyWriteExecute=true
LockPersonality=true
SystemCallFilter=@system-service
SystemCallArchitectures=native
#IPAddressDeny=any
#IPAddressAllow=localhost
#IPAddressAllow=127.0.0.1
#IPAddressAllow=::1

# Connection rate limiting
LimitNOFILE=1024
LimitNPROC=8

[Install]
WantedBy=multi-user.target