I know this is an old discussion - but your problem is, imho, self-inflicted.
The default is zero (0)
In the early 1980's there was this idea that port numbers less than 1024 could be "trusted" because only the super-user (aka root) could access them. This trust has been misplaced since the late 1980's as too many processes can access this so-called trusted ports. Why trust NFS (on port 2049)? It is well above 1024. Why it that number above 2049 trust-worthy and not other numbers.
In short, "trusted ports" exist in that it is still specified that a kernel privilege is needed to "open" aka request a connection from/to any other port.
If someone, even from your local security, says they MUST be 1023 and smaller - of course you can comply - BUT they are causing another security concept to become breached - availability. Not enough ports means no connectivity.
In short, port numbers - there is no added trust because a specific port number is being used. There might be a technical reason (e.g., firewall rules) to stay in a particular range - but the port number itself neither adds nor subtracts from the application security.
Hi Guys,
i am trying to open a port in AIX.
but i am not able to get the command for this. AIX is not having the iptables file present.
So please any body can tell me how to open a port in AIX...
Thanks
sanju (2 Replies)
Hi,
I am working with sun Solaris 5.9 and in my application,I have to communicate with Serial port(i.e /dev/term/a).
So I need source code to by which I can do the following things--
1)check the port is available or not.If it dosn't find the port,it should throw the error message(i.e. port not... (0 Replies)
In general for intalling a package like we do
./configure, make , make install
But if we want to integrate the package with a huge source base
what are the things to be taken care
could some one have a light on purpose of ./configure , make and make install
along with above question.
I... (1 Reply)
Hi,
I was looking on Google for AIX-VIO/LPAR with ISCSI solution and found following really nice tutorial about how to setup ISCSI with free NAS.
1) Build Your Own Open Source NAS Device Using FreeNAS | Train Signal Training - Free Computer Training Videos
2) Build Your Own Open Source... (4 Replies)
Hello all. I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs with no issues, but when the time comes to make, this happens:
make: make 1254-025 There must be an existing description file or specify a target.
... (4 Replies)
Hello Gurus,
I was trying to find who's using my port and got below answer from a IBM website. But the problem with the below answer is I need a root to run the rmsock, is there any other alternative to find out who is using my port with out a root access??
1. netstat -Aan | grep <port... (1 Reply)
Hi all,
I need to change the source port number of an outgoing TCP packet. First I have to bind the socket to a particular port(suppose 9001) but when I send the TCP packet I want to change the source port number lets say to 9002 still letting the socket to be bound to the same old port (9001).... (0 Replies)
Hello all,
I need your help with any command to release a port on AIX.
Thanks for all. (5 Replies)
Discussion started by: Mcipamo
5 Replies
LEARN ABOUT DEBIAN
mac_portacl
MAC_PORTACL(4) BSD Kernel Interfaces Manual MAC_PORTACL(4)NAME
mac_portacl -- network port access control policy
SYNOPSIS
To compile the port access control policy into your kernel, place the following lines in your kernel configuration file:
options MAC
options MAC_PORTACL
Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_portacl_load="YES"
DESCRIPTION
The mac_portacl policy allows administrators to administratively limit binding to local UDP and TCP ports via the sysctl(8) interface.
In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must
not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
The mac_portacl policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP
socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port:
these are automatically selected by the IP stack.
When mac_portacl is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high
sysctl(8) variable. By default, all attempts to bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access
control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-
zero value.
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy. All sysctl(8) variables, except
security.mac.portacl.rules, can also be set as loader(8) tunables in loader.conf(5).
security.mac.portacl.enabled
Enforce the mac_portacl policy. (Default: 1).
security.mac.portacl.port_high
The highest port number mac_portacl will enforce rules for. (Default: 1023).
security.mac.portacl.rules
The port access control list is specified in the following format:
idtype:id:protocol:port[,idtype:id:protocol:port,...]
idtype Describes the type of subject match to be performed. Either uid for user ID matching, or gid for group ID matching.
id The user or group ID (depending on idtype) allowed to bind to the specified port. NOTE: User and group names are not
valid; only the actual ID numbers may be used.
protocol Describes which protocol this entry applies to. Either tcp or udp are supported.
port Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by
allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. If
the specified port falls within the range specified, the mac_portacl entry will not function (i.e., even the specified
user/group may not be able to bind to the specified port).
security.mac.portacl.suser_exempt
Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the port access control list does not explicitly
allow this. (Default: 1).
security.mac.portacl.autoport_exempt
Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when bind-
ing an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1).
SEE ALSO mac(3), ip(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4), mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4),
mac(9)HISTORY
MAC first appeared in FreeBSD 5.0 and mac_portacl first appeared in FreeBSD 5.1.
AUTHORS
This software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.
BSD December 9, 2004 BSD