On Tue, 24 May 2005, Pawel Jakub Dawidek wrote:
This patch gives another option, so one don't need to use firewall for
this purpose. It adds new idtype - 'jid'. With this patch, one can
configure that jail with the given JID can use only defined ports:
# sysctl security.mac.portacl.rules="jid:1:tcp:80"
Patch is here:
http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch
Any objections?
This sounds fine to me, especially since it doesn't break forwards
compatibility from older mac_portacl rule sets.
However, I've CC'd Samy Al Bahra, who has a set of outstanding mac_portacl
patches that are similar, and might have some comments on your proposed
changes. My primary concern with his changes was that they changed the
syntax in a way that broke backwards compatibility to older defined rules;
on the other hand, his version of the changes allowed further scoping of
things like "user id 80 in jail 20 can bind port 80", whereas the above
supports a single layer of scoping.
Robert N M Watson
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
