search for: mac_portacl

Hello, I really like the idea behind mac_portacl but I find it difficult to use it because of one issue. When an unprivileged program binds to high automatic port with a call to bind(2) and port number set to 0 the system chooses the port to bind to itself. This mechanismus is used by number of programs, most commonly by ftp clients in active...

Hi, folks. I am trying to implement reverse proxy using squid with mac_portacl, but i have problem while binding squid to port 80. Am i missed something? Here is my mac_portacl variables: # sysctl security.mac.portacl. security.mac.portacl.enabled: 1 security.mac.portacl.suser_exempt: 1 security.mac.portacl.autoport_exempt: 1 security.mac.portacl.port_high: 1023 security.m...

...ne don't need to use firewall for this purpose. It adds new idtype - 'jid'. With this patch, one can configure that jail with the given JID can use only defined ports: # sysctl security.mac.portacl.rules="jid:1:tcp:80" Patch is here: http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch Any objections? PS. With the above policy, processes from outside a jail can bind to port 80. We can change this behaviour to "allow port 80 to be used only inside a jail 1". This will be a warning for not jailed processes (don't use this port, because it can be...

Hi all, I am looking at securing a web server using the FreeBSD MAC Framework. To make things clear I will call the hosted users "web users". Those are the issues I am dealing with: ** Network Security ** - Web users shouldn't be able to connect to reserved local ports apart from 25(smtp); 80(http); 443(https) and 3306(MySQL) Solution: run the web server and web users shell in

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I