RFC6056(7) BSD Miscellaneous Information Manual RFC6056(7)NAME
rfc6056 -- port randomization algorithms
DESCRIPTION
The rfc6056 algorithms are used in order to randomize the port allocation of outgoing UDP packets, in order to provide protection from a
series of ``blind'' attacks based on the attacker's ability to guess the sequence of ephemeral ports associated with outgoing packets. For
more information consult RFC 6056.
The individual algorithms are described below:
The RFC 6056 algorithms
The following algorithms are available:
bsd This is the default NetBSD port selection algorithm, which starts from anonportmax and proceeds decreasingly through the avail-
able ephemeral ports.
random_start Select ports randomly from the available ephemeral ports. In case a collision with a local port is detected, the algorithm
proceeds decreasingly through the sequence of ephemeral ports until a free port is found. Note that the random port selection
algorithms are not guaranteed to find a free port.
random_pick Select ports randomly from the available ephemeral ports. In case a collision with a local port is detected the algorithm
tries selecting a new port randomly until a free port is found.
hash Select ports using a md5(3) hash of the local address, the foreign address, and the foreign port. Note that in the case of a
bind(2) call some of this information might be unavailable and the port selection is delayed until the time of a connect(2)
call, performed either explicitly or up calling sendto(2).
doublehash Select ports using a md5(3) hash of the local address, foreign address, and foreign port coupled with a md5(3) hash of the same
components obtained using a separate table that is associated with a subset of all outgoing connections. The same considera-
tions regarding late connection as in the case of hash apply.
randinc Use random increments in order to select the next port.
SYSCTL CONTROLS
The following sysctl controls are available for selecting the default port randomization algorithm:
sysctl name Type Changeable
net.inet.udp.rfc6056.available string no
net.inet.udp.rfc6056.selected string yes
net.inet6.udp6.rfc6056.available string no
net.inet6.udp6.rfc6056.selected string yes
SOCKET OPTIONS
The socket option UDP_RFC6056ALGO at the IPPROTO_UDP level can be used with a string argument specifying the algorithm's name in order to
select the port randomization algorithm for a specific socket. For more info see setsockopt(2).
SEE ALSO setsockopt(2), sysctl(3), sysctl(7)HISTORY
The rfc6056 algorithms first appeared in NetBSD 6.0.
BSD August 25, 2011 BSD
Check Out this Related Man Page
MAC_PORTACL(4) BSD Kernel Interfaces Manual MAC_PORTACL(4)NAME
mac_portacl -- network port access control policy
SYNOPSIS
To compile the port access control policy into your kernel, place the following lines in your kernel configuration file:
options MAC
options MAC_PORTACL
Alternately, to load the port access control policy module at boot time, place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_portacl_load="YES"
DESCRIPTION
The mac_portacl policy allows administrators to administratively limit binding to local UDP and TCP ports via the sysctl(8) interface.
In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must
not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs.
The mac_portacl policy only affects ports explicitly bound by a user process (either for a listen/outgoing TCP socket, or a send/receive UDP
socket). This policy will not limit ports bound implicitly for outgoing connections where the process has not explicitly selected a port:
these are automatically selected by the IP stack.
When mac_portacl is enabled, it will control binding access to ports up to the port number set in the security.mac.portacl.port_high
sysctl(8) variable. By default, all attempts to bind to mac_portacl controlled ports will fail if not explicitly allowed by the port access
control list, though binding by the superuser will be allowed, if the sysctl(8) variable security.mac.portacl.suser_exempt is set to a non-
zero value.
Runtime Configuration
The following sysctl(8) MIBs are available for fine-tuning the enforcement of this MAC policy. All sysctl(8) variables, except
security.mac.portacl.rules, can also be set as loader(8) tunables in loader.conf(5).
security.mac.portacl.enabled
Enforce the mac_portacl policy. (Default: 1).
security.mac.portacl.port_high
The highest port number mac_portacl will enforce rules for. (Default: 1023).
security.mac.portacl.rules
The port access control list is specified in the following format:
idtype:id:protocol:port[,idtype:id:protocol:port,...]
idtype Describes the type of subject match to be performed. Either uid for user ID matching, or gid for group ID matching.
id The user or group ID (depending on idtype) allowed to bind to the specified port. NOTE: User and group names are not
valid; only the actual ID numbers may be used.
protocol Describes which protocol this entry applies to. Either tcp or udp are supported.
port Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by
allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. If
the specified port falls within the range specified, the mac_portacl entry will not function (i.e., even the specified
user/group may not be able to bind to the specified port).
security.mac.portacl.suser_exempt
Allow superuser (i.e., root) to bind to all mac_portacl protected ports, even if the port access control list does not explicitly
allow this. (Default: 1).
security.mac.portacl.autoport_exempt
Allow applications to use automatic binding to port 0. Applications use port 0 as a request for automatic port allocation when bind-
ing an IP address to a socket. This tunable will exempt port 0 allocation from rule checking. (Default: 1).
SEE ALSO mac(3), ip(4), mac_biba(4), mac_bsdextended(4), mac_ifoff(4), mac_mls(4), mac_none(4), mac_partition(4), mac_seeotheruids(4), mac_test(4),
mac(9)HISTORY
MAC first appeared in FreeBSD 5.0 and mac_portacl first appeared in FreeBSD 5.1.
AUTHORS
This software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.
BSD December 9, 2004 BSD