# /lib/systemd/system/knockd.service

[Unit]
Description=Port-Knock Daemon
After=network.target
Documentation=man:knockd(1)

[Service]
EnvironmentFile=-/etc/default/knockd
ExecStart=/usr/sbin/knockd $KNOCKD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
SuccessExitStatus=0 2 15
######################
# Disable if error not writable
# ProtectSystem=full
######################
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN