problem s BINDem / dhclient
Dan Lukes
dan at obluda.cz
Mon Apr 29 23:01:14 CEST 2019
Miroslav Lachman wrote on 29. 4. 2019 15:51:
>> Ale ja bych tohle neresil pres adresy. Proste bych povolil jakekoliv
>> odchozi UDP z portu 67 na port 68 a prichozi UDP z portu 68 na port
>> 67. Tecka.
>
> Mas samozrejme pravdu. V noci uz mi to moc nemyslelo, takze ted jsem
> vratil zpatky puvodni nastaveni tabulky "reserved", pravidla pro porty
> 67 a 68 hodil pred pravidlo zakazujici komunikaci z tabulky "reserved" a
> vypada to, ze je vsechno jak ma byt :)
Vidis, a ja myslel, ze pokud pravidla nemaji option 'quick' (coz u tebe
nemaji) tak IPF jede last-match ...
> Kdyz udelam ifconfig down a ifconfig up, tak BIND zaloguje tohle
> 29-Apr-2019 15:47:47.052 network: info: no longer listening on AA.BB.CC.32#53
> 29-Apr-2019 15:47:47.053 network: info: listening on IPv4 interface bge0, AA.BB.CC.32#53
> 29-Apr-2019 15:47:47.053 network: error: binding TCP socket: permission denied
> Tzn. z nejakeho duvodu dostane pro TCP socket Permission denied - co muze byt pricinou, ze na UDP mu to jde a TCP ne?
BIND po startu zahodi root prava a prepdne se na uzivatele 'bind'. Ale
na portech <1024 muze poslouchat jen root - zrejme proto ten EPERM.
Ja mam kvuli tomu kernelu nahrany mac_portacl a v /etc/sysctl.conf
nasledujici:
# ------------------
#By default, ports below 1024 can only be used by privileged processes
which run as root. For mac_portacl(4) to allow non-privileged processes
to bind to ports below 1024, set the following tunables as follows:
security.mac.portacl.port_high=1023
net.inet.ip.portrange.reservedlow=0
net.inet.ip.portrange.reservedhigh=0
#To prevent the root user from being affected by this policy
security.mac.portacl.suser_exempt=1
#permits the user with the UID of 53 to bind to TCP & UDP port 53
security.mac.portacl.rules=uid:53:udp:53,uid:53:tcp:53
# ------------------
Dan
More information about the Users-l
mailing list