Description: Add documentation and security related configurations
 Provide references to manpage and upstream homepage.
 Limit access to system resources in case service is malfunctioning or got
 compromised.
Author: Sven Geuer <debmaint@g-e-u-e-r.de>
Last-Update: 2018-12-10
--- a/lib/systemd/system/arno-iptables-firewall.service
+++ b/lib/systemd/system/arno-iptables-firewall.service
@@ -1,5 +1,7 @@
 [Unit]
 Description=Arno's Iptables Firewall
+Documentation=man:arno-iptables-firewall(8)
+Documentation=http://rocky.eld.leidenuniv.nl/
 DefaultDependencies=no
 After=local-fs.target network-online.target
 Requires=local-fs.target network-online.target
@@ -11,6 +13,11 @@
 ExecStop=/usr/sbin/arno-iptables-firewall stop
 ExecReload=/usr/sbin/arno-iptables-firewall force-reload
 RemainAfterExit=yes
+ProtectSystem=true
+ProtectHome=true
+PrivateTmp=true
+LimitNPROC=1
+DeviceAllow=/dev/null rw
 
 [Install]
 WantedBy=multi-user.target
