libunbound and limiting outgoing ports?
Wouter Wijngaards
wouter at nlnetlabs.nl
Tue Jan 29 16:08:09 UTC 2019
Hi Paul,
On 1/29/19 4:50 PM, Paul Wouters wrote:
> On Mon, 28 Jan 2019, Wouter Wijngaards via Unbound-users wrote:
>
>>> For the unbound daemon we can set:
>>>
>>> outgoing-port-permit: 32768-60999
>>> outgoing-port-avoid: 0-32767
>>>
>>> Is there a way for a libunbound context to put in the same limitations?
>>
>> Yes, you can read a config file or use ub_ctx_set_option.
>>
>> For your example this would be:
>> ub_ctx_set_option(ctx, "outgoing-port-permit:", "32768-60999");
>> ub_ctx_set_option(ctx, "outgoing-port-avoid:", "0-32767");
>
> Štěpán did some testing for us and it seems libunbound is not
> honouring this. It must be specific daemon.c code that enforces this
> for the unbound daemon ?
The call to set_option has to happen before the context is first used.
Did you set the option too late?
With a quick test, it works for me. But I did see a flaw in the locking
for the error case when the config condense code fails; fixing that.
But that locking issue for broken config not something that is causing
you a problem, I think. It would not start anyhow, but the error is in
the cleanup after failure.
Best regards, Wouter
>
> It would be good to get libunbound to honour this as well, so it does
> not get caught in SElinux denials.
>
> Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190129/a69ec339/attachment.bin>
More information about the Unbound-users
mailing list