Subject: Re: new sysctl - privilaged ports runtime option?
To: None <tech-kern@netbsd.org>
From: Joe Reed <jnr@po.cwru.edu>
List: tech-kern
Date: 08/11/2002 15:10:16
> I generally _really_ like to do security related things in exactly the
> opposite way so that they "fail safely". I.e. only release the
> restrictions on specific ports, and to only do that via a restricted
> interface. Assuming it works then IPNAT satisfies my requirements
> exactly, whereas using NOPRIVEPORTS+systrace goes diametrically opposite
> to them.
hmmm... i was under the impression that ipnat will not map between ports on
the same interface. i've gotten around this by setting services to run only
on lo0, then ipnat'ing to them.
i wonder how hard it would be to implement a uid<->port mapping that would
allow for privilaged ports to be released on a per-uid basis. or would such
functionality just not be worth it. thoughts/ideas?
--joe