Subject: Re: new sysctl - privilaged ports runtime option?
To: NetBSD Kernel Technical Discussion List <tech-kern@NetBSD.ORG>
From: Joe Reed <jnr@po.cwru.edu>
List: tech-kern
Date: 08/11/2002 13:57:56
what you can do though is remove the restriction on the ports, then use
systrace to restrict them. this gives you the ablility to have sendmail,
etc. running as an unpriv user, but still allowed to bind to the proper
port(s).
(ex, only let root:wheel bind to port 22, but allow root:wheel and www:nopriv
bind to 80 and 443, etc.)
-joe
On Sunday 11 August 2002 11:34, Greg A. Woods wrote:
> [ On Thursday, August 8, 2002 at 13:54:26 (+0100), Rasputin wrote: ]
>
> > Subject: Re: new sysctl - privilaged ports runtime option?
> >
> > Does this change win anything over using something like ipnat to
> > redirect inbound port 80 traffic -> 8888 , for example?
>
> I would think not. Indeed using NOPRIVPORTS is _far_ "worse" (as in
> generically much less secure) than using IPNAT. With IPNAT you've got
> control over things like port 80 while not having to worry quite so much
> about port 22 (or rather force your clients to worry about port 22).