Date: Fri, 20 Oct 2006 19:23:43 +0300 From: Nikolay Pavlov <quetzal@zone3000.net> To: Fabian Keil <freebsd-listen@fabiankeil.de> Cc: freebsd-security@freebsd.org Subject: Re: Binding Squid to reserved port (was: mac_portacl) Message-ID: <20061020162343.GA27287@zone3000.net> In-Reply-To: <20061020165706.367b0302@localhost> References: <20061020140456.GA25717@zone3000.net> <20061020165706.367b0302@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, 20 October 2006 at 16:57:06 +0200, Fabian Keil wrote: > Nikolay Pavlov <quetzal@zone3000.net> wrote: > > > I am trying to implement reverse proxy using squid with mac_portacl, > > but i have problem while binding squid to port 80. > > Am i missed something? > > > > Here is my mac_portacl variables: > > > > # sysctl security.mac.portacl. > > security.mac.portacl.enabled: 1 > > security.mac.portacl.suser_exempt: 1 > > security.mac.portacl.autoport_exempt: 1 > > security.mac.portacl.port_high: 1023 > > security.mac.portacl.rules: uid:100:tcp:80 > > > > And squid user info: > > > > # grep squid /etc/passwd > > squid:*:100:100:squid caching-proxy pseudo > > user:/usr/local/squid:/usr/sbin/nologin > > > > Also here is cache.log: > > > > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > > i386-portbld-freebsd6.1... > > 2006/10/20 09:55:59| Process ID 6584 > > 2006/10/20 09:55:59| With 11072 file descriptors available > > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > > /etc/resolv.conf > > 2006/10/20 09:55:59| User-Agent logging is disabled. > > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > > objects > > 2006/10/20 09:55:59| Target number of buckets: 393846 > > 2006/10/20 09:55:59| Using 524288 Store buckets > > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > > 2006/10/20 09:55:59| Using Least Load store dir selection > > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > > 2006/10/20 09:55:59| Loaded Icons. > > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > > Permission denied > > FATAL: Cannot open HTTP Port > > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > > CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys > > Maximum Resident Size: 9528 KB > > Page faults with physical i/o: 0 > > I assume you aren't starting Squid with root privileges? > > If you aren't, you'll have to lower: > net.inet.ip.portrange.reservedhigh if you want > it to bind to port 80. > > I don't use mac_portacl, but from the name I assume > security.mac.portacl.port_high does something similar. > > Port redirection with your packet filter of choice > would be another option. Yes. I am aware of this, but want something simple, as portacl. I am configuring it like described in handbook, and curious why it's not working. According to man security.mac.portacl.port_high is: "The highest port number mac_portacl will enforce rules for." So my mac rules should work, but not working :) > > Followup-To: freebsd-questions@freebsd.org set. > > Fabian > -- > http://www.fabiankeil.de/ -- ====================================================================== - Best regards, Nikolay Pavlov. <<<----------------------------------- ======================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061020162343.GA27287>