libunbound and limiting outgoing ports?

Wouter Wijngaards wouter at
Tue Jan 29 16:08:09 UTC 2019

Hi Paul,

On 1/29/19 4:50 PM, Paul Wouters wrote:
> On Mon, 28 Jan 2019, Wouter Wijngaards via Unbound-users wrote:
>>> For the unbound daemon we can set:
>>>     outgoing-port-permit: 32768-60999
>>>     outgoing-port-avoid: 0-32767
>>> Is there a way for a libunbound context to put in the same limitations?
>> Yes, you can read a config file or use ub_ctx_set_option.
>> For your example this would be:
>> ub_ctx_set_option(ctx, "outgoing-port-permit:", "32768-60999");
>> ub_ctx_set_option(ctx, "outgoing-port-avoid:", "0-32767");
> Štěpán did some testing for us and it seems libunbound is not
> honouring this. It must be specific daemon.c code that enforces this
> for the unbound daemon ?

The call to set_option has to happen before the context is first used.
Did you set the option too late?

With a quick test, it works for me.  But I did see a flaw in the locking
for the error case when the config condense code fails; fixing that.
But that locking issue for broken config not something that is causing
you a problem, I think.  It would not start anyhow, but the error is in
the cleanup after failure.

Best regards, Wouter

> It would be good to get libunbound to honour this as well, so it does
> not get caught in SElinux denials.
> Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Unbound-users mailing list