Re: Binding Squid to reserved port (was: mac_portacl)
On Friday, 20 October 2006 at 17:38:59 +0100, mal content wrote:
> On 20/10/06, Nikolay Pavlov <quetzal@zone3000.net> wrote:
> >On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote:
> >> Nikolay Pavlov <quetzal@zone3000.net> wrote:
> >>
> >> > I am trying to implement reverse proxy using squid with mac_portacl,
> >> > but i have problem while binding squid to port 80.
> >> > Am i missed something?
> >> >
> >> > Here is my mac_portacl variables:
> >> >
> >> > # sysctl security.mac.portacl.
> >> > security.mac.portacl.enabled: 1
> >> > security.mac.portacl.suser_exempt: 1
> >> > security.mac.portacl.autoport_exempt: 1
> >> > security.mac.portacl.port_high: 1023
> >> > security.mac.portacl.rules: uid:100:tcp:80
> >> >
>
> The mac_portacl page in the handbook says that you need to disable normal
> UNIX bind restrictions on ports. Have you tried this:
>
> # sysctl net.inet.ip.portrange.reservedlow=0
> # sysctl net.inet.ip.portrange.reservedhigh=0
>
> MC
Oh.. Man sure it works. Thank you.
How i've missed this in man:
In order to enable the mac_portacl policy, MAC policy must be enforced on
sockets (see mac(4)), and the port(s) protected by mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
sysctl(8) MIBs.
--
======================================================================
- Best regards, Nikolay Pavlov. <<<-----------------------------------
======================================================================
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 4 之 4 篇):