reject connections from non-loopback addresses <p dir="

PR: <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id

Support port forwarding for privileged ports (1-1023) about lima HOT 6 CLOSED

lima-vm commented on August 23, 2024 3

Support port forwarding for privileged ports (1-1023)

from lima.

Comments (6)

AkihiroSuda commented on August 23, 2024 1

Or maybe we don't need any SETUID stuff. Just bind 0.0.0.0:80, and reject connections from non-loopback addresses.

from lima.

AkihiroSuda commented on August 23, 2024

Another way is to replace ssh -L with a home-made port forwarder, and set SETUID bit on its binary.
(We could just set SETUID on ssh binary, but perhaps it may cause some unexpected side effect)

Most parts of the port forwarder could be executed without the SETUID bit. It will receive sockfd from a SETUID helper via SCM_RIGHTS cmsg.
https://github.com/apple/darwin-xnu/blob/xnu-7195.101.1/tests/fd_send.c

from lima.

jandubois commented on August 23, 2024

reject connections from non-loopback addresses

Maybe make the rejection configurable? I think it can be useful to expose an app running in lima to the local network, so you can test it e.g. as a service from another machine.

from lima.

AkihiroSuda commented on August 23, 2024

Yes, we will eventually need config file and (REST?) API to control flexible forwarding

from lima.

markomitranic commented on August 23, 2024

Until
this gets done, I hope this old little snippet helps someone :)

alias port80="sudo ifconfig lo0 127.0.0.1 alias
echo \"rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 80 -> 127.0.0.1 port 8080\" | sudo pfctl -ef -"

To revert the mappings back to their original state, just empty the file.

sudo pfctl -f /etc/pf.conf

Same for 443

from lima.

AkihiroSuda commented on August 23, 2024

PR: #283

from lima.

Recommend Projects