Index: head/dns/dnscrypt-proxy2/Makefile =================================================================== --- head/dns/dnscrypt-proxy2/Makefile +++ head/dns/dnscrypt-proxy2/Makefile @@ -2,6 +2,7 @@ PORTNAME= dnscrypt-proxy PORTVERSION= 2.0.10 +PORTREVISION= 1 CATEGORIES= dns security ipv6 PKGNAMESUFFIX= 2 Index: head/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in =================================================================== --- head/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in +++ head/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in @@ -19,6 +19,14 @@ # # dnscrypt_proxy_uid (str) User to run dnscrypt_proxy as # Default: %%USER%% +# +# dnscrypt_proxy_mac_portacl_enable (bool) +# Load mac_portacl module (network port access control policy) +# Default: NO +# +# dnscrypt_proxy_mac_portacl_port (int) +# Port used in the mac_portacl rule +# Default: 53 . /etc/rc.subr @@ -33,10 +41,65 @@ : ${dnscrypt_proxy_conf:="%%ETCDIR%%/dnscrypt-proxy.toml"} : ${dnscrypt_proxy_suexec:="NO"} : ${dnscrypt_proxy_uid:="%%USER%%"} +: ${dnscrypt_proxy_mac_portacl_enable:="NO"} +: ${dnscrypt_proxy_mac_portacl_port:="53"} checkyesno dnscrypt_proxy_suexec && dnscrypt_proxy_uid="root" command="/usr/sbin/daemon" command_args="-p ${pidfile} -u ${dnscrypt_proxy_uid} -f ${procname} -config ${dnscrypt_proxy_conf}" +start_precmd="dnscrypt_proxy_precmd" + +dnscrypt_proxy_precmd() { + local reservedlow reservedhigh rules_current rules_dnscrypt rport ruid + + if checkyesno dnscrypt_proxy_mac_portacl_enable ; then + + # Check and load mac_portacl module + if ! kldstat -m mac_portacl >/dev/null 2>&1 ; then + if ! kldload mac_portacl ; then + warn "Could not load mac_portacl module." + return 1 + fi + fi + + # Check and add mac_portacl rules + ruid=$(id -u $dnscrypt_proxy_uid) + rport=$dnscrypt_proxy_mac_portacl_port #smaller variable + rules_current=$(sysctl -n security.mac.portacl.rules) + rules_dnscrypt="uid:${ruid}:tcp:${rport},uid:${ruid}:udp:${rport}" + if [ ! $rules_current = "" ]; then + if ! echo $rules_current | grep "$rules_dnscrypt" >/dev/null 2>&1 ; then + rules_current="${rules_current},${rules_dnscrypt}" + if ! sysctl security.mac.portacl.rules="$rules_current" >/dev/null 2>&1 ; then + warn "Could not insert mac_portacl rules." + return 1 + fi + fi + elif ! sysctl security.mac.portacl.rules=$rules_dnscrypt >/dev/null 2>&1 ; then + warn "Could not insert mac_portacl rules." + return 1 + fi + + # Check and disable net.inet.ip.portrange.* control + reservedlow=$(sysctl -n net.inet.ip.portrange.reservedlow) + reservedhigh=$(sysctl -n net.inet.ip.portrange.reservedhigh) + if [ ! $reservedlow -eq 0 ]; then + if ! sysctl net.inet.ip.portrange.reservedlow=0 >/dev/null 2>&1 ; then + warn "Could not change net.inet.ip.portrange.reservedlow." + return 1 + fi + fi + if [ ! $reservedhigh -eq 0 ]; then + if ! sysctl net.inet.ip.portrange.reservedhigh=0 >/dev/null 2>&1 ; then + warn "Could not change net.inet.ip.portrange.reservedhigh." + return 1 + fi + fi + + fi # dnscrypt_proxy_mac_portacl_enable + + return 0 +} run_rc_command "$1" Index: head/dns/dnscrypt-proxy2/files/pkg-message.in =================================================================== --- head/dns/dnscrypt-proxy2/files/pkg-message.in +++ head/dns/dnscrypt-proxy2/files/pkg-message.in @@ -3,8 +3,15 @@ of dropping privileges after binding to a low port on FreeBSD. By default, this port's daemon will listen on port 5353 (TCP/UDP) as the -%%USER%% user. It's still possible to bind it and listen on port -53 (TCP/UDP), but it's not recommended. +%%USER%% user. + +It's possible to bind it and listen on port 53 (TCP/UDP) with mac_portacl(4) +kernel module (network port access control policy). For this add +dnscrypt_proxy_mac_portacl_enable=YES in your rc.conf. The dnscrypt-proxy +startup script will load mac_portacl and add a rule where %%USER%% user will +be able to bind on port 53 (TCP/UDP). This port can be changed by +dnscrypt_proxy_mac_portacl_port variable in your rc.conf. You also need to +change dnscrypt-proxy config file to use port 53. Below are a few examples on how to redirect local connections from port 5353 to 53.