Hi, folks. I am trying to implement reverse proxy using squid with mac_portacl, but i have problem while binding squid to port 80. Am i missed something? Here is my mac_portacl variables: # sysctl security.mac.portacl. security.mac.portacl.enabled: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.port_high: 1023 security.mac.portacl.rules: uid:100:tcp:80 And squid user info: # grep squid /etc/passwd squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin Also here is cache.log: 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for i386-portbld-freebsd6.1... 2006/10/20 09:55:59| Process ID 6584 2006/10/20 09:55:59| With 11072 file descriptors available 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from /etc/resolv.conf 2006/10/20 09:55:59| User-Agent logging is disabled. 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 objects 2006/10/20 09:55:59| Target number of buckets: 393846 2006/10/20 09:55:59| Using 524288 Store buckets 2006/10/20 09:55:59| Max Mem size: 1048576 KB 2006/10/20 09:55:59| Max Swap size: 102400000 KB 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) 2006/10/20 09:55:59| Using Least Load store dir selection 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache 2006/10/20 09:55:59| Loaded Icons. 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) Permission denied FATAL: Cannot open HTTP Port Squid Cache (Version 2.5.STABLE14): Terminated abnormally. CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys Maximum Resident Size: 9528 KB Page faults with physical i/o: 0 -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ======================================================================
Nikolay Pavlov <quetzal@zone3000.net> wrote:> I am trying to implement reverse proxy using squid with mac_portacl, > but i have problem while binding squid to port 80. > Am i missed something? > > Here is my mac_portacl variables: > > # sysctl security.mac.portacl. > security.mac.portacl.enabled: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.port_high: 1023 > security.mac.portacl.rules: uid:100:tcp:80 > > And squid user info: > > # grep squid /etc/passwd > squid:*:100:100:squid caching-proxy pseudo > user:/usr/local/squid:/usr/sbin/nologin > > Also here is cache.log: > > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > i386-portbld-freebsd6.1... > 2006/10/20 09:55:59| Process ID 6584 > 2006/10/20 09:55:59| With 11072 file descriptors available > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > /etc/resolv.conf > 2006/10/20 09:55:59| User-Agent logging is disabled. > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > objects > 2006/10/20 09:55:59| Target number of buckets: 393846 > 2006/10/20 09:55:59| Using 524288 Store buckets > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > 2006/10/20 09:55:59| Using Least Load store dir selection > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > 2006/10/20 09:55:59| Loaded Icons. > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > Permission denied > FATAL: Cannot open HTTP Port > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys > Maximum Resident Size: 9528 KB > Page faults with physical i/o: 0I assume you aren't starting Squid with root privileges? If you aren't, you'll have to lower: net.inet.ip.portrange.reservedhigh if you want it to bind to port 80. I don't use mac_portacl, but from the name I assume security.mac.portacl.port_high does something similar. Port redirection with your packet filter of choice would be another option. Followup-To: freebsd-questions@freebsd.org set. Fabian -- http://www.fabiankeil.de/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20061020/3e634f54/signature.pgp
On Fri, 20 Oct 2006, Nikolay Pavlov wrote:> I am trying to implement reverse proxy using squid with mac_portacl, but i > have problem while binding squid to port 80. Am i missed something?Did you set the IP stack's definition of reserved such that there are no reserved ports, per the mac_portacl(4) man page? In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs. Basically, you need to set those sysctls to 0. That should probably be explicit in the man page, rather than implicit as it is now. Robert N M Watson Computer Laboratory University of Cambridge> > Here is my mac_portacl variables: > > # sysctl security.mac.portacl. > security.mac.portacl.enabled: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.port_high: 1023 > security.mac.portacl.rules: uid:100:tcp:80 > > And squid user info: > > # grep squid /etc/passwd > squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin > > Also here is cache.log: > > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > i386-portbld-freebsd6.1... > 2006/10/20 09:55:59| Process ID 6584 > 2006/10/20 09:55:59| With 11072 file descriptors available > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > /etc/resolv.conf > 2006/10/20 09:55:59| User-Agent logging is disabled. > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > objects > 2006/10/20 09:55:59| Target number of buckets: 393846 > 2006/10/20 09:55:59| Using 524288 Store buckets > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > 2006/10/20 09:55:59| Using Least Load store dir selection > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > 2006/10/20 09:55:59| Loaded Icons. > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > Permission denied > FATAL: Cannot open HTTP Port > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys > Maximum Resident Size: 9528 KB > Page faults with physical i/o: 0 > > > -- > =====================================================================> - Best regards, Nikolay Pavlov. <<<----------------------------------- > =====================================================================> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >