From owner-freebsd-security  Thu Jun 24  6:57:58 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.sminter.com.ar (ns1.sminter.com.ar [200.10.100.10])
	by hub.freebsd.org (Postfix) with ESMTP id 1EA3714D25
	for <freebsd-security@FreeBSD.ORG>; Thu, 24 Jun 1999 06:57:53 -0700 (PDT)
	(envelope-from fpscha@ns1.sminter.com.ar)
Received: (from fpscha@localhost)
          by ns1.sminter.com.ar (8.8.5/8.8.4)
	  id KAA18059; Thu, 24 Jun 1999 10:57:44 -0300 (GMT)
Message-Id: <199906241357.KAA18059@ns1.sminter.com.ar>
Subject: Re: proposed secure-level 4 patch
In-Reply-To: <19990622222055.J2436@lucky.net> from Valentin Nechayev at "Jun 22, 99 10:20:55 pm"
To: netch@carrier.kiev.ua (Valentin Nechayev)
Date: Thu, 24 Jun 1999 10:57:44 -0300 (GMT)
Cc: freebsd-security@FreeBSD.ORG
From: Fernando Schapachnik <fpscha@via-net-works.net.ar>
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

En un mensaje anterior, Valentin Nechayev escribió:
[...]
> -> Deny all except uid 65530 to bind ports 3128-3130 on bind() with
>    specified port number. Deny all (uid 65530 also) to bind these ports
>    implicitly (means: without explicit bind, as first free port number).
>    One can ask "why"? Because squid can die, and I don't want situation when
>    a bad user catches one of these ports and prevents squid from restarting.
> -> Allow port 25 to be bound by uid 25 (postfix or sendmail, as you wish).
> -> Deny implicit binding to ports 6000-6099 for any (but allow explicit
>    binding, for any user which wants simulate Xserver).
> -> Deny all explicit and implicit binding for all to 31337 port, to avoid
>    fake BO detections.
> And so on...
> 
> I have made such implementation, but with ipfw-styled interface. If someone

Are these commited?


Fernando P. Schapachnik
Administración de la red
VIA Net Works Argentina SA
Diagonal Roque Sáenz Peña 971, 4º y 5º piso.
1035 - Capital Federal, Argentina. 
(54-11) 4323-3333
http://www.via-net-works.net.ar


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message