Subject: Re: [Package Suggestion] Socker
To: None <pkgsrc-users@NetBSD.org>
From: Christian Biere <christianbiere@gmx.de>
List: pkgsrc-users
Date: 02/24/2006 21:00:08
--kORqDWCi7qDJ0mEj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Jeremy C. Reed wrote:
> On Fri, 24 Feb 2006, Christian Biere wrote:
=20
> > and a library.  The helper program must be installed with the
> > setuid-bit set for user root.  When executed, this helper program
> > socker checks whether the user is allowed to create a socket with
> > the specified parameters. If permissions are granted, socker
> > creates and binds a socket using given parameters. The socket is
> > then passed back to the caller."
=20
> Since this has to be setup by root in the first place,

I haven't tried but I think it's sudo-compatible. Then again
sudo is much more code and configuration than socker.

> why not use address=20
> translation in a packet filter instead? I am curious ... what are the=20
> benefits/negatives of address translation versus using "socker"?

On my 486 - primarily used as router, but also server - NAT is far too
heavy on resources when you have a lot of connections or transactions.
On VServers, other OS etc. you don't necessarily have the ability to
use such a port redirecting. The NAT trick also has the side-effect
that the server is accessible on the target port as well which might
not be desired and requires an additional block rule.

For some users it might also be easier to configure socker than
configuring their firewall properly. I could be wrong on this but
not-so-advanced end-users usually have trouble with this especially
advanced firewall features. I'm keeping in mind that pkgsrc is not
only for NetBSD and personally I find iptables much more obscure than
pf or ipf.

Another - maybe minor - issue with port redirecting is that anyone can
bind to that port then. If this is an important service you probably
don't want to risk that someone could use the short time window after
a restart/crash/reboot to take over this port. With Socker you can
limit the access to certain user(s) - but don't have to.

I fully agree that the setuid-bit is ugly but if the OS doesn't
provide a cleaner solution, I find it acceptable. It is certainly a
good idea to wrap Socker with systrace or the like if you can.

--=20
Christian

--kORqDWCi7qDJ0mEj
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (NetBSD)

iD8DBQFD/2XI0KQix3oyIMcRAmDhAJ9vvjaZbBKtjhRFyvHjtvLvJjuBTwCgn7kc
GADZteAsJ0AWPAZ7ivTieQU=
=GW/s
-----END PGP SIGNATURE-----

--kORqDWCi7qDJ0mEj--