diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 6633f40..9a2a79b 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -55,6 +55,8 @@ let
     # Extra options
     ${cfg.extraConfig}
   '';
+
+  zmqServerEnabled = (cfg.zmqpubrawblock != null) || (cfg.zmqpubrawtx != null);
 in {
   options = {
     services.bitcoind = {
@@ -358,7 +360,7 @@ in {
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
         ReadWritePaths = cfg.dataDir;
       } // nbLib.allowedIPAddresses cfg.enforceTor
-        // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
+        // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
     };
 
     # Use this to update the banlist:
diff --git a/modules/clightning-plugins/zmq.nix b/modules/clightning-plugins/zmq.nix
index 19eacf4..5ba2ece 100644
--- a/modules/clightning-plugins/zmq.nix
+++ b/modules/clightning-plugins/zmq.nix
@@ -4,6 +4,8 @@ with lib;
 let
   cfg = config.services.clightning.plugins.zmq;
 
+  nbLib = config.nix-bitcoin.lib;
+
   endpoints = [
     "channel-opened"
     "connect"
@@ -38,5 +40,9 @@ in
       plugin=${config.nix-bitcoin.pkgs.clightning-plugins.zmq.path}
       ${concatStrings (map setEndpoint endpoints)}
     '';
+
+    # The zmq server requires AF_NETLINK
+    systemd.services.clightning.serviceConfig.RestrictAddressFamilies =
+      mkForce nbLib.allowNetlink.RestrictAddressFamilies;
   };
 }
diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix
index 89dcfec..7736d0a 100644
--- a/modules/lightning-pool.nix
+++ b/modules/lightning-pool.nix
@@ -100,7 +100,8 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
-      } // (nbLib.allowedIPAddresses cfg.enforceTor);
+      } // (nbLib.allowedIPAddresses cfg.enforceTor)
+        // nbLib.allowNetlink; # required by gRPC-Go
     };
   };
 }
diff --git a/modules/lnd.nix b/modules/lnd.nix
index be59675..8093bc9 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -262,8 +262,7 @@ in {
             '') (attrNames cfg.macaroons)}
           '')
         ];
-      } // nbLib.allowedIPAddresses cfg.enforceTor
-        // nbLib.allowAnyProtocol;  # For ZMQ
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
     };
 
     users.users.${cfg.user} = {
diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index bf29b68..e42b641 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -33,6 +33,10 @@ let self = {
       SystemCallArchitectures = "native";
   };
 
+  allowNetlink = {
+    RestrictAddressFamilies = self.defaultHardening.RestrictAddressFamilies + " AF_NETLINK";
+  };
+
   # nodejs applications apparently rely on memory write execute
   nodejs = { MemoryDenyWriteExecute = "false"; };