(no title)

So for example if you have a service listening to TCP port 1234, you could do something like this:

socat UNIX-LISTEN:foo.sock TCP:localhost:1234

Now the service will still listen to port 1234 and you now have another socket that redirects to the other. This not only comes with a bit of overhead, but port 1234 is still reachable.

While using packet filtering on that port might lower the attack surface a bit, this won't prevent other (possibly compromised) services/users on the system to access port 1234.

Sure you could also filter based on uid, but IMHO it's better if that port isn't accessible in the first place.