libunbound and limiting outgoing ports?

PaulWouters · January 24, 2019, 3:07pm

Hi,

For the unbound daemon we can set:

outgoing-port-permit: 32768-60999
outgoing-port-avoid: 0-32767

Is there a way for a libunbound context to put in the same limitations?

We are seeing that sometimes libreswan's use of libunbound triggers
selinux denials and I suspect it is due to the use of ephemeral ports.

Paul

Wouter · January 28, 2019, 10:03am

Hi Paul,

Hi,

For the unbound daemon we can set:
outgoing\-port\-permit: 32768\-60999
outgoing\-port\-avoid: 0\-32767
Is there a way for a libunbound context to put in the same limitations?

Yes, you can read a config file or use ub_ctx_set_option.

For your example this would be:
ub_ctx_set_option(ctx, "outgoing-port-permit:", "32768-60999");
ub_ctx_set_option(ctx, "outgoing-port-avoid:", "0-32767");

Best regards, Wouter

PaulWouters · January 29, 2019, 3:50pm

©tìpán did some testing for us and it seems libunbound is not
honouring this. It must be specific daemon.c code that enforces this
for the unbound daemon ?

It would be good to get libunbound to honour this as well, so it does
not get caught in SElinux denials.

Paul

Wouter · January 29, 2019, 4:08pm

Hi Paul,

For the unbound daemon we can set:
outgoing\-port\-permit: 32768\-60999
outgoing\-port\-avoid: 0\-32767
Is there a way for a libunbound context to put in the same limitations?
Yes, you can read a config file or use ub_ctx_set_option.

For your example this would be:
ub_ctx_set_option(ctx, "outgoing-port-permit:", "32768-60999");
ub_ctx_set_option(ctx, "outgoing-port-avoid:", "0-32767");
Štěpán did some testing for us and it seems libunbound is not
honouring this. It must be specific daemon.c code that enforces this
for the unbound daemon ?

The call to set_option has to happen before the context is first used.
Did you set the option too late?

With a quick test, it works for me. But I did see a flaw in the locking
for the error case when the config condense code fails; fixing that.
But that locking issue for broken config not something that is causing
you a problem, I think. It would not start anyhow, but the error is in
the cleanup after failure.

Best regards, Wouter

Wouter · January 30, 2019, 6:32am

Hi Štěpán,

Hello,

The call to set_option has to happen before the context is first used.
Did you set the option too late?

With a quick test, it works for me. But I did see a flaw in the locking
for the error case when the config condense code fails; fixing that.
But that locking issue for broken config not something that is causing
you a problem, I think. It would not start anyhow, but the error is in
the cleanup after failure.

Find attached a patch I used for my testing. It's a patch against
libreswan-3.27, I was testing using unbound-libs-1.7.3. I placed the
config right next to other libunbound configuration, so I don't think
the context was already used for any queries. Would it be visible in
libunbound verbose logs?

None of the outgoing-port-* configuration from
/etc/unbound/unbound.conf worked, while verbosity and logfile worked.

My unbound.conf:

server:
    outgoing-port-permit: 32768-60999
    outgoing-port-avoid: 0-32767
    verbosity: 5
    logfile: /var/log/unbound.log

So, I think that, the config is working just fine, but there is no
statement to stop it from using ports above 61000. Hence the 63xxx port
number that you see. If you want it to avoid the ports above 6100 you
need to add a statement to that effect. You can have a number of
statements, they are processed in order. So another
outgoing-port-avoid: 61000-65535 . That would stop the port number above
61000 from getting picked. Or start with outgoing-port-avoid: 0-65535
and then permit selectively.

Best regards, Wouter

Wouter · January 30, 2019, 10:31am

Hi Štěpán,

Hello Wouter,

st 30. 1. 2019 v 7:32 odesílatel Wouter Wijngaards <wouter@nlnetlabs.nl> napsal:

So, I think that, the config is working just fine, but there is no
statement to stop it from using ports above 61000. Hence the 63xxx port
number that you see. If you want it to avoid the ports above 6100 you
need to add a statement to that effect. You can have a number of
statements, they are processed in order. So another
outgoing-port-avoid: 61000-65535 . That would stop the port number above
61000 from getting picked. Or start with outgoing-port-avoid: 0-65535
and then permit selectively.

Thank you! Yes, that appears to do the trick. And it's now obvious
when reading the unbound.conf man page about outgoing-port-permit:
"The processing starts with the non IANA allocated ports above 1024
in the set of allowed ports."

Nice to hear it is solved.

Out of curiosity, was I reading the code wrong, or is daemon.c code
used for library calls too?

That code is for the server, but the library uses the same code (from
config_file.c) to do it. The section around the condense_ports function.

Best regards, Wouter