diff --git a/systemd/glider@.service b/systemd/glider@.service
index b634b35..399292a 100644
--- a/systemd/glider@.service
+++ b/systemd/glider@.service
@@ -11,8 +11,10 @@ Restart=always
 ExecStart=/usr/bin/glider -config /etc/glider/%i.conf
 
 # work with systemd v229 or later, so glider can listen on port below 1024 with none-root user
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+# CAP_NET_ADMIN: ipset
+# CAP_NET_BIND_SERVICE: bind ports under 1024
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
 NoNewPrivileges=true
 
 [Install]