mac_portacl

Robert Watson rwatson at FreeBSD.org
Fri Oct 20 17:08:23 PDT 2006 

On Fri, 20 Oct 2006, Nikolay Pavlov wrote:

> I am trying to implement reverse proxy using squid with mac_portacl, but i 
> have problem while binding squid to port 80. Am i missed something?

Did you set the IP stack's definition of reserved such that there are no 
reserved ports, per the mac_portacl(4) man page?

      In order to enable the mac_portacl policy, MAC policy must be enforced on
      sockets (see mac(4)), and the port(s) protected by mac_portacl must not
      be included in the range specified by the
      net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
      sysctl(8) MIBs.

Basically, you need to set those sysctls to 0.  That should probably be 
explicit in the man page, rather than implicit as it is now.

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> Here is my mac_portacl variables:
>
> # sysctl security.mac.portacl.
> security.mac.portacl.enabled: 1
> security.mac.portacl.suser_exempt: 1
> security.mac.portacl.autoport_exempt: 1
> security.mac.portacl.port_high: 1023
> security.mac.portacl.rules: uid:100:tcp:80
>
> And squid user info:
>
> # grep squid /etc/passwd
> squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin
>
> Also here is cache.log:
>
> 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for
> i386-portbld-freebsd6.1...
> 2006/10/20 09:55:59| Process ID 6584
> 2006/10/20 09:55:59| With 11072 file descriptors available
> 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5
> 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from
> /etc/resolv.conf
> 2006/10/20 09:55:59| User-Agent logging is disabled.
> 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10
> 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923
> objects
> 2006/10/20 09:55:59| Target number of buckets: 393846
> 2006/10/20 09:55:59| Using 524288 Store buckets
> 2006/10/20 09:55:59| Max Mem  size: 1048576 KB
> 2006/10/20 09:55:59| Max Swap size: 102400000 KB
> 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY)
> 2006/10/20 09:55:59| Using Least Load store dir selection
> 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache
> 2006/10/20 09:55:59| Loaded Icons.
> 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13)
> Permission denied
> FATAL: Cannot open HTTP Port
> Squid Cache (Version 2.5.STABLE14): Terminated abnormally.
> CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys
> Maximum Resident Size: 9528 KB
> Page faults with physical i/o: 0
>
>
> -- 
> ======================================================================
> - Best regards, Nikolay Pavlov. <<<-----------------------------------
> ======================================================================
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list