Binding Squid to reserved port (was: mac_portacl)

Nikolay Pavlov quetzal at zone3000.net
Fri Oct 20 10:10:25 PDT 2006


On Friday, 20 October 2006 at 17:38:59 +0100, mal content wrote:
> On 20/10/06, Nikolay Pavlov <quetzal at zone3000.net> wrote:
> >On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote:
> >> Nikolay Pavlov <quetzal at zone3000.net> wrote:
> >>
> >> > I am trying to implement reverse proxy using squid with mac_portacl,
> >> > but i have problem while binding squid to port 80.
> >> > Am i missed something?
> >> >
> >> > Here is my mac_portacl variables:
> >> >
> >> > # sysctl security.mac.portacl.
> >> > security.mac.portacl.enabled: 1
> >> > security.mac.portacl.suser_exempt: 1
> >> > security.mac.portacl.autoport_exempt: 1
> >> > security.mac.portacl.port_high: 1023
> >> > security.mac.portacl.rules: uid:100:tcp:80
> >> >
> 
> The mac_portacl page in the handbook says that you need to disable normal
> UNIX bind restrictions on ports. Have you tried this:
> 
> # sysctl net.inet.ip.portrange.reservedlow=0
> # sysctl net.inet.ip.portrange.reservedhigh=0
> 
> MC

Oh.. Man sure it works. Thank you.

How i've missed this in man:

In order to enable the mac_portacl policy, MAC policy must be enforced on
sockets (see mac(4)), and the port(s) protected by mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
sysctl(8) MIBs.

-- 
======================================================================  
- Best regards, Nikolay Pavlov. <<<-----------------------------------    
======================================================================  



More information about the freebsd-security mailing list