From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 16:39:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 897F616A40F for ; Fri, 20 Oct 2006 16:39:07 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD49F43D6E for ; Fri, 20 Oct 2006 16:39:01 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by ug-out-1314.google.com with SMTP id k3so338118ugf for ; Fri, 20 Oct 2006 09:39:00 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gIcvEOB89mXTz5lauugbr3MN4SFBLUi96rOOXf1z4ALca0iAV/DwH1n5eyTWCZ9q46NCviJzvhDcC7pifHUrChR19qfpqKm5fAl3b2aakBYEnK5Jmz5Os1zGsKh3qtdxpLCexX+QTORzUHnknSMW2/Wev0TloFlKDfG75rUBvAw= Received: by 10.82.106.14 with SMTP id e14mr751796buc; Fri, 20 Oct 2006 09:38:59 -0700 (PDT) Received: by 10.82.130.8 with HTTP; Fri, 20 Oct 2006 09:38:59 -0700 (PDT) Message-ID: <8e96a0b90610200938j21dab6d6h42b64e2193504eee@mail.gmail.com> Date: Fri, 20 Oct 2006 17:38:59 +0100 From: "mal content" To: "Nikolay Pavlov" , "Fabian Keil" , freebsd-security@freebsd.org In-Reply-To: <20061020162343.GA27287@zone3000.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20061020140456.GA25717@zone3000.net> <20061020165706.367b0302@localhost> <20061020162343.GA27287@zone3000.net> Cc: Subject: Re: Binding Squid to reserved port (was: mac_portacl) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 16:39:07 -0000 On 20/10/06, Nikolay Pavlov wrote: > On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote: > > Nikolay Pavlov wrote: > > > > > I am trying to implement reverse proxy using squid with mac_portacl, > > > but i have problem while binding squid to port 80. > > > Am i missed something? > > > > > > Here is my mac_portacl variables: > > > > > > # sysctl security.mac.portacl. > > > security.mac.portacl.enabled: 1 > > > security.mac.portacl.suser_exempt: 1 > > > security.mac.portacl.autoport_exempt: 1 > > > security.mac.portacl.port_high: 1023 > > > security.mac.portacl.rules: uid:100:tcp:80 > > > The mac_portacl page in the handbook says that you need to disable normal UNIX bind restrictions on ports. Have you tried this: # sysctl net.inet.ip.portrange.reservedlow=0 # sysctl net.inet.ip.portrange.reservedhigh=0 MC