libunbound and limiting outgoing ports?

Wouter Wijngaards wouter at
Wed Jan 30 06:32:32 UTC 2019

Hi Štěpán,

On 29/01/2019 17:22, Štěpán Brož wrote:
> Hello,
>> The call to set_option has to happen before the context is first used.
>> Did you set the option too late?
>> With a quick test, it works for me.  But I did see a flaw in the locking
>> for the error case when the config condense code fails; fixing that.
>> But that locking issue for broken config not something that is causing
>> you a problem, I think.  It would not start anyhow, but the error is in
>> the cleanup after failure.
> Find attached a patch I used for my testing. It's a patch against
> libreswan-3.27, I was testing using unbound-libs-1.7.3. I placed the
> config right next to other libunbound configuration, so I don't think
> the context was already used for any queries. Would it be visible in
> libunbound verbose logs?
> None of the outgoing-port-* configuration from
> /etc/unbound/unbound.conf worked, while verbosity and logfile worked.
> My unbound.conf:
> server:
>     outgoing-port-permit: 32768-60999
>     outgoing-port-avoid: 0-32767
>     verbosity: 5
>     logfile: /var/log/unbound.log

So, I think that, the config is working just fine, but there is no
statement to stop it from using ports above 61000. Hence the 63xxx port
number that you see.  If you want it to avoid the ports above 6100 you
need to add a statement to that effect.  You can have a number of
statements, they are processed in order.  So another
outgoing-port-avoid: 61000-65535 . That would stop the port number above
61000 from getting picked.  Or start with outgoing-port-avoid: 0-65535
and then permit selectively.

Best regards, Wouter

> Also the hardcoded values made no difference, I still saw:
> type=AVC msg=audit(1548761530.058:1406): avc:  denied  { name_bind }
> for  pid=4927 comm="addconn" src=63737
> scontext=system_u:system_r:ipsec_t:s0
> tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
> permissive=0
> [1548761530] libunbound[4927:0] debug: dnssec status: not expected
> [1548761530] libunbound[4927:0] debug: EDNS lookup known=1 vs=0
> [1548761530] libunbound[4927:0] debug: serviced query UDP timeout=662 msec
> [1548761530] libunbound[4927:0] debug: inserted new pending reply id=8d65
> [1548761530] libunbound[4927:0] error: can't bind socket: Permission
> denied for port 63737 (len 16)
> All the code reading and respecting the outgoing-port-* directives is
> placed in daemon.c.
> I need more eyes, am I doing it wrong?
> Regards,
> Stepan

More information about the Unbound-users mailing list