problem s BINDem / dhclient

Miroslav Lachman 000.fbsd at quip.cz
Tue Apr 30 23:50:12 CEST 2019

Previous message (by thread): problem s BINDem / dhclient
Next message (by thread): problem s BINDem / dhclient
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Lukes wrote on 2019/04/29 23:01:
> Miroslav Lachman wrote on 29. 4. 2019 15:51:
>>> Ale ja bych tohle neresil pres adresy. Proste bych povolil jakekoliv 
>>> odchozi UDP z portu 67 na port 68 a prichozi UDP z portu 68 na port 
>>> 67. Tecka.
>>
>> Mas samozrejme pravdu. V noci uz mi to moc nemyslelo, takze ted jsem 
>> vratil zpatky puvodni nastaveni tabulky "reserved", pravidla pro porty 
>> 67 a 68 hodil pred pravidlo zakazujici komunikaci z tabulky "reserved" 
>> a vypada to, ze je vsechno jak ma byt :)
> 
> Vidis, a ja myslel, ze pokud pravidla nemaji option 'quick' (coz u tebe 
> nemaji) tak IPF jede last-match ...

Jeste se naposledy vratim k tomu reseni dhclienta...
Ja tam prave quick mam:

## Deny all non routable trafic on external interface
block log quick on $ext_if inet from <reserved> to any
block log quick on $ext_if inet from any to <reserved>

Pozor na rozdil mezi PF a IPF, to jsou dva ruzne firewally ;o) Je 
pouzivam PF (ten byl importovany jako treti friewall z OpenBSD), IPF 
neboli IP Filter je na FreeBSD asi od verze 2.2.
Aby toho nebylo malo, tak na NetBSD maji jeste svuj NPF.

A jak jsme tu resili prichozi / odchozi z 67 / 68 tak funkcni reseni je 
tohle:

pass in quick on $ext_if proto udp from port 67 to port 68
pass out quick on $ext_if proto udp from port 68 to port 67

Puvodne jsem si do pravidel dal obe varianty a pak kouknul na pftop 
statistiky, ktera pravidla se skutecne pouzivaji.


> BIND po startu zahodi root prava a prepdne se na uzivatele 'bind'. Ale 
> na portech <1024 muze poslouchat jen root - zrejme proto ten EPERM.

A nemelo by se to pak stejne chovat jak pro UDP, tak pro TCP? Nebo se 
tyhle dva protokoly natolik lisi v kodu, ze to pak i jinak zafunguje pri 
ifconfig down / up?

> Ja mam kvuli tomu kernelu nahrany mac_portacl a v /etc/sysctl.conf 
> nasledujici:
> # ------------------
> #By default, ports below 1024 can only be used by privileged processes 
> which run as root. For mac_portacl(4) to allow non-privileged processes 
> to bind to ports below 1024, set the following tunables as follows:
> security.mac.portacl.port_high=1023
> net.inet.ip.portrange.reservedlow=0
> net.inet.ip.portrange.reservedhigh=0
> #To prevent the root user from being affected by this policy
> security.mac.portacl.suser_exempt=1
> #permits the user with the UID of 53 to bind to TCP & UDP port 53
> security.mac.portacl.rules=uid:53:udp:53,uid:53:tcp:53
> # ------------------

mac_portacl jsem pred lety zvazoval kvuli nejakemu uplne jinemu projektu 
a nakonec na to nedoslo, tak je mozne, ze ted uzral ten cas a zkusim to 
s BINDem.
Diky za tip.

Mirek

Previous message (by thread): problem s BINDem / dhclient
Next message (by thread): problem s BINDem / dhclient
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list