Solved PF not working on FreeBSD 10.1 with 2 NICs

People can run Apache by user non-root instead of user root. If you hack their Apache, you cannot get root access. non-root user cannot bind port less than 1024.
My problem is that even I delete the rdr line and run Apache at port 80, port 80 still dead from outside.
 
I understand now. The classic UNIX model is ports below 1024 require root privileges to bind to. This is why web servers have a process running as root to bind to port 80 and then fork off process as a dedicated user to actually serve requests. Since it's likely going to be the dedicated www user serving requests to get broken into, it seems like no security gain for plenty of configuration pain.

If you really did want to go down the route of mucking with defaults, the net.inet.ip.portrange.reservedhigh sysctl(8) sets the highest port that require root privilege to bind to to 1023 by default. There is also MAC polices that can be used to give specified users, such as www, the ability to use ports like 80 without ever needing root privileges. See https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-policies.html

Bottom line though, most of the security benefit you hear of running programs on a random high port are from security through obscurity. If you don't have public users using the servers, then it cuts down on a lot of noise using random high ports. Just going down the road of redirecting the incoming connections or messing with MAC port range policy isn't buying you much.
 
Last edited:
People(me too) believe to run any service at port greater than 1024 is more secure than ports less than 1024. Some service even refuse to run at port less than 1024. Some people scared to run services at ports less than port 1024. I do not know why.

As a really general comment, the biggest security danger is not understanding something. When folks are "scared" of doing something like running services in a certain configuration then basing actions off fears or guesses isn't going to help. As you see things like this, take the time to understand why things work the way they do. That's going to be the best thing you can do and not just for security.
 
Back
Top