what you can do though is remove the restriction on the ports, then use 
systrace to restrict them.  this gives you the ablility to have sendmail, 
etc. running as an unpriv user, but still allowed to bind to the proper 
port(s).

(ex, only let root:wheel bind to port 22, but allow root:wheel and www:nopriv 
bind to 80 and 443, etc.)

-joe

On Sunday 11 August 2002 11:34, Greg A. Woods wrote:
> [ On Thursday, August 8, 2002 at 13:54:26 (+0100), Rasputin wrote: ]
>
> > Subject: Re: new sysctl - privilaged ports runtime option?
> >
> > Does this change win anything over using something like ipnat to
> > redirect inbound port 80 traffic -> 8888 , for example?
>
> I would think not.  Indeed using NOPRIVPORTS is _far_ "worse" (as in
> generically much less secure) than using IPNAT.  With IPNAT you've got
> control over things like port 80 while not having to worry quite so much
> about port 22 (or rather force your clients to worry about port 22).