SOLVED jail running service on privileged port <1024

[Grinas]

A while back i tired to change all the default port that my jails used to port 80 or 443 as I have so many I can not remember most of them and have to google search to find the correct port. e.g couch potato uses 5050, sickchill uses 8080.

The problem is that when i change the port in the config and start the service, it will show as started but when i check the status right after starting the service I can see it is not running.

For example with qbittorrent, I stop it and I change the port in the config to 80

Code:

root@qbittorrent:/ # service qbittorrent start
Starting qbittorrent.
root@qbittorrent:/ # service qbittorrent status
qbittorrent is not running.

I can not find any logs to provide some information as to why this is happening but it happens will all my jails.

The issue does not appear to occur when i have all the jail services using the same port. e.g jail 1 with couchpotato with the ip of 192.168.0.5 on port 5050 and jail 2 with qbittorrent with the ip of 192.168.0.6 on port 5050.

Jail settings of qbittorrent

Code:

release:11.3-RELEASE-p5
reservation:none
resolver:/etc/resolv.conf
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:off
vnet:on
vnet0_mac:000c295bcae5 000c295bcae6
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock:off

is there some reason it is not possible to use ports 80 or 443 on jails? Since the jails and the host are using different IPs i can't see why it is an issue.

 

[SweetAndLow]

Probably has to do with ports below 1024 being privileged ports and normal users can't run services on them.

 

[Grinas]

Looks like you are right as qbittorrent would not start on a number of other ports under 1024.

Do you have any idea how be allow the service to run on a privileged port

 

[Fredda]

You'd need to run qbittorrent as root, but that might not be such a good idea, as it is quite a security risk.
You could try something with ipfw to forward incoming connection on your desired ports <1024 to the ports the service is really running on.
Untested rule to forward incoming port 80 to 8080:
ipfw add 100 fwd 127.0.0.1,8080 tcp from any to any 80 in

 

[garm]

You'd need to run qbittorrent as root,[..]

No! Do. Not. Do. That.

the only sane way is to use a reverse proxy if shortcuts is not an option...

 

[Fredda]

No! Do. Not. Do. That.

Please don't do half quotes putting what I said out of context. I never told him to run it as root.

 

[Grinas]

Thanks @Fredda your rule to forward the traffic did the trick.

Here is how to get the rule to persist.

Code:

vi /etc/rc.conf

# Enable Firewall and add rule to route port 80 to
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"


vi /usr/local/etc/ipfw.rules

#!/bin/sh
ipfw -q -f flush
ipfw add 100 fwd 127.0.0.1,<SERVICE_PORT> tcp from any to any 80 in

 

[victort]

I need to run a webserver (caddy) as www user, or I run into issues with the content it is serving (Zoneminder glitching streams)

The solution mentioned in this thread about the firewall rules works, but
I have done this…

1. Set the securelevel of the jail to -1
Then run this command
2. sysctl net.inet.ip.portrange.reservedhigh=0

User www can now bind to port 80

What are the security implications of this?
Is there perhaps a better way than to completely disable the reserved range?