network port access control policy
To compile the port access control policy into your kernel, place the following
lines in your kernel configuration file:
Alternately, to load the port access control policy module at boot
time, place the following line in your kernel configuration file:
mac_portacl policy allows administrators to
administratively limit binding to local UDP and TCP ports via the
In order to enable the
MAC policy must be enforced on sockets (see
and the port(s) protected by
mac_portacl must not be
included in the range specified by the
mac_portacl policy only affects ports
explicitly bound by a user process (either for a listen/outgoing TCP socket,
or a send/receive UDP socket). This policy will not limit ports bound
implicitly for outgoing connections where the process has not explicitly
selected a port: these are automatically selected by the IP stack.
MIBs are available for fine-tuning the enforcement of this MAC policy. All
variables, except security.mac.portacl.rules, can also
be set as
mac_portacl is enabled, it will
control binding access to ports up to the port number set in the
variable. By default, all attempts to bind to
mac_portacl controlled ports will fail if not
explicitly allowed by the port access control list, though binding by the
superuser will be allowed, if the
variable security.mac.portacl.suser_exempt is set to a
MAC first appeared in FreeBSD 5.0 and
- Enforce the
mac_portacl policy. (Default: 1).
- The highest port number
mac_portacl will enforce
rules for. (Default: 1023).
- The port access control list is specified in the following format:
- Describes the type of subject match to be performed. Either
uid for user ID matching, or
gid for group ID matching.
- The user or group ID (depending on idtype)
allowed to bind to the specified port.
NOTE: User and group names are not valid; only the
actual ID numbers may be used.
- Describes which protocol this entry applies to. Either
- Describes which port this entry applies to.
NOTE: MAC security policies may not override other
security system policies by allowing accesses that they may deny, such
as net.inet.ip.portrange.reservedlow /
If the specified port falls within the range specified, the
mac_portacl entry will not function (i.e.,
even the specified user/group may not be able to bind to the specified
- Allow superuser (i.e., root) to bind to all
mac_portacl protected ports, even if the port
access control list does not explicitly allow this. (Default: 1).
- Allow applications to use automatic binding to port 0. Applications use
port 0 as a request for automatic port allocation when binding an IP
address to a socket. This tunable will exempt port 0 allocation from rule
checking. (Default: 1).
mac_portacl first appeared in FreeBSD
This software was contributed to the FreeBSD Project by
NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the
DARPA CHATS research program.