From owner-freebsd-questions  Fri Oct 12  5:30:37 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail2.mediadesign.nl (md2.mediadesign.nl [212.19.205.67])
	by hub.freebsd.org (Postfix) with SMTP id 0F5BF37B406
	for <freebsd-questions@freebsd.org>; Fri, 12 Oct 2001 05:30:34 -0700 (PDT)
Received: (qmail 16763 invoked by uid 1002); 12 Oct 2001 12:30:31 -0000
Date: Fri, 12 Oct 2001 14:30:31 +0200
From: Alson van der Meulen <alm@flutnet.org>
To: freebsd-questions@freebsd.org
Subject: Re: How to protect binding to interface ?
Message-ID: <20011012143031.B21997@md2.mediadesign.nl>
Mail-Followup-To: freebsd-questions@freebsd.org
References: <20011010214156.B27378@brained.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20011010214156.B27378@brained.org>
User-Agent: Mutt/1.3.22i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Oct 10, 2001 at 09:41:56PM -0400, Simon Perkins wrote:
> Hi,
> 
> 	I am learning freeBSD and wanted to know if there is any means in
> 	freeBSD to prevent non-root users to bind to public interfaces or 
> 	maybe something which even makes the public network interfaces 
> 	invisible to them. Can anybody point me in right direction ?
try something like:
allow tcp from any to any in via fxp0 setup uid root
reset tcp from any to any in via fxp0 setup
(where fxp0 is your public interface)

in your firewall rules (ipfw). this is for tcp only, go figure yourself
how to do udp (might be difficult since there's no 'setup' keyword for
udp, maybe you can just deny them any udp traffic, the only normal udp
traffic i can think of is dns, but that can me circumvented by running a
local caching bind).

if you've any non-root network daemons running (e.g. bind as non-root
user), add seperate allow rules for these (before the reset rule
ofcourse)

note: this is untested

AFAIK, there's no thing to deny them binding, you can only deny all
traffic to these sockets.
-- 
,-------------------------------------------.
> Name:           Alson van der Meulen      <
> Personal:        alson@flutnet.org        <
> School:       alson@gymnasiumleiden.nl    <
`-------------------------------------------'
Terminated??!
---------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message