From owner-freebsd-net@FreeBSD.ORG  Thu Jun 23 13:29:49 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3467916A41C
	for <freebsd-net@freebsd.org>; Thu, 23 Jun 2005 13:29:49 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from postfix3-1.free.fr (postfix3-1.free.fr [213.228.0.44])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EEF0543D4C
	for <freebsd-net@freebsd.org>; Thu, 23 Jun 2005 13:29:48 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org
	(vol75-8-82-233-239-98.fbx.proxad.net [82.233.239.98])
	by postfix3-1.free.fr (Postfix) with ESMTP id 5A3F3173497;
	Thu, 23 Jun 2005 15:29:48 +0200 (CEST)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id 8E75F405B; Thu, 23 Jun 2005 15:30:02 +0200 (CEST)
Date: Thu, 23 Jun 2005 15:30:02 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Abu Khaled <khaled.abu@gmail.com>
Message-ID: <20050623133002.GA738@obiwan.tataz.chchile.org>
References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl>
	<000401c577a2$c095b090$0b2a15ac@SMILEY>
	<20050623131455.GZ738@obiwan.tataz.chchile.org>
	<a64c109e05062306235eac9394@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a64c109e05062306235eac9394@mail.gmail.com>
User-Agent: Mutt/1.5.9i
Cc: freebsd-net@freebsd.org, Darren Pilgrim <dmp@bitfreak.org>,
	Mrad James Deane <xtremejames183@msn.com>
Subject: Re: www user than root
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2005 13:29:49 -0000

Hi Khaled,

> Is it a good idea to run daemons on non privileged ports as a normal
> user (eg. www) then have natd or a firewall redirect the traffic
> targetting the privileged port.
> 
> For example:
> 
> A web server running as user www on port 8000.
> IPFW, IPNAT, PF or NATD redirecting port 80 to port 8000.
> 
> Is such a soloution a good idea?
> I read in man natd that one can redirect traffic comming on the
> gateway on port 80 to one or many servers running daemons on non
> privileged ports.

Yes it might be a good idea, but again, it depends on your security
requirements : any user is able to bind port 8000, so if you have
other users on the system, this may not be something to avoid.  
But FWIW, this would totally remove the need to make a privileged part
in your application.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >