Package: miniupnpd Version: 2.1-6.1 Severity: wishlist Tags: patch Dear Maintainers,
I am using the latest git version of miniupnpd, with nftables backend instead of iptables used in the Debian package. A much stronger sandboxing in miniupnpd.service works for me, shown below. Systemd service file in the Debian package can also use a stronger sandbox. Also, "Type=exec" seems better than "Type=simple" used in the Debian package. [Unit] Description=UPnP Internet Gateway Device Daemon Documentation=man:miniupnpd(8) After=network-online.target minissdpd.service [Service] TasksMax=2 #for /etc/miniupnpd/nft_removeall.sh. miniupnpd alone needs only 1. CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CAP_SYSLOG MountAPIVFS=yes NoNewPrivileges=yes PrivateMounts=yes PrivateDevices=yes PrivateTmp=yes MemoryDenyWriteExecute=yes ProtectSystem=full ProtectHome=yes ProtectHostname=yes ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes LockPersonality=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictSUIDSGID=yes Type=exec ExecStartPre=/etc/miniupnpd/nft_init.sh -i ip6tnl1 ExecStart=/usr/sbin/miniupnpd -d -f /etc/miniupnpd/miniupnpd.conf ExecStopPost=/etc/miniupnpd/nft_removeall.sh -i ip6tnl1 [Install] WantedBy=multi-user.target Best regards, Ryutaroh Matsumoto