From owner-freebsd-security@FreeBSD.ORG Fri Oct 20 17:10:25 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13A3616A4D8 for ; Fri, 20 Oct 2006 17:10:25 +0000 (UTC) (envelope-from quetzal@zone3000.net) Received: from mx1.sitevalley.com (sitevalley.com [209.67.60.43]) by mx1.FreeBSD.org (Postfix) with SMTP id 2BCDD43DBA for ; Fri, 20 Oct 2006 17:10:11 +0000 (GMT) (envelope-from quetzal@zone3000.net) Received: from unknown (HELO localhost) (217.144.69.37) by 209.67.61.254 with SMTP; 20 Oct 2006 17:10:01 -0000 Date: Fri, 20 Oct 2006 20:09:32 +0300 From: Nikolay Pavlov To: mal content Message-ID: <20061020170932.GA28347@zone3000.net> Mail-Followup-To: Nikolay Pavlov , mal content , Fabian Keil , freebsd-security@freebsd.org References: <20061020140456.GA25717@zone3000.net> <20061020165706.367b0302@localhost> <20061020162343.GA27287@zone3000.net> <8e96a0b90610200938j21dab6d6h42b64e2193504eee@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8e96a0b90610200938j21dab6d6h42b64e2193504eee@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 6.1-RELEASE-p10 Cc: freebsd-security@freebsd.org, Fabian Keil Subject: Re: Binding Squid to reserved port (was: mac_portacl) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Oct 2006 17:10:25 -0000 On Friday, 20 October 2006 at 17:38:59 +0100, mal content wrote: > On 20/10/06, Nikolay Pavlov wrote: > >On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote: > >> Nikolay Pavlov wrote: > >> > >> > I am trying to implement reverse proxy using squid with mac_portacl, > >> > but i have problem while binding squid to port 80. > >> > Am i missed something? > >> > > >> > Here is my mac_portacl variables: > >> > > >> > # sysctl security.mac.portacl. > >> > security.mac.portacl.enabled: 1 > >> > security.mac.portacl.suser_exempt: 1 > >> > security.mac.portacl.autoport_exempt: 1 > >> > security.mac.portacl.port_high: 1023 > >> > security.mac.portacl.rules: uid:100:tcp:80 > >> > > > The mac_portacl page in the handbook says that you need to disable normal > UNIX bind restrictions on ports. Have you tried this: > > # sysctl net.inet.ip.portrange.reservedlow=0 > # sysctl net.inet.ip.portrange.reservedhigh=0 > > MC Oh.. Man sure it works. Thank you. How i've missed this in man: In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs. -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ======================================================================