Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support port forwarding for privileged ports (1-1023) #45

Closed
AkihiroSuda opened this issue Jun 11, 2021 · 6 comments · Fixed by #283
Closed

Support port forwarding for privileged ports (1-1023) #45

AkihiroSuda opened this issue Jun 11, 2021 · 6 comments · Fixed by #283
Labels
enhancement New feature or request priority/high
Milestone
v0.7.0

Comments

@AkihiroSuda
Copy link
Member

https://twitter.com/_AkihiroSuda_/status/1403403845842075648

I'm planning to support privileged ports using authbind (https://github.com/Castaglia/MacOSX-authbind) if it works.
@AkihiroSuda
Copy link
Member Author

AkihiroSuda commented Jun 11, 2021
edited
Loading

Another way is to replace ssh -L with a home-made port forwarder, and set SETUID bit on its binary.
(We could just set SETUID on ssh binary, but perhaps it may cause some unexpected side effect)

Most parts of the port forwarder could be executed without the SETUID bit. It will receive sockfd from a SETUID helper via SCM_RIGHTS cmsg.
https://github.com/apple/darwin-xnu/blob/xnu-7195.101.1/tests/fd_send.c

@AkihiroSuda AkihiroSuda added enhancement New feature or request help wanted Extra attention is needed labels Jun 11, 2021
@AkihiroSuda
Copy link
Member Author

Or maybe we don't need any SETUID stuff. Just bind 0.0.0.0:80, and reject connections from non-loopback addresses.

@AkihiroSuda AkihiroSuda removed the help wanted Extra attention is needed label Jun 23, 2021
@jandubois
Copy link
Member

reject connections from non-loopback addresses

Maybe make the rejection configurable? I think it can be useful to expose an app running in lima to the local network, so you can test it e.g. as a service from another machine.

@AkihiroSuda
Copy link
Member Author

Yes, we will eventually need config file and (REST?) API to control flexible forwarding

@AkihiroSuda AkihiroSuda added this to the v0.6.0 milestone Jul 6, 2021
@jandubois jandubois mentioned this issue Jul 9, 2021
Merged
@markomitranic
Copy link

Until
this gets done, I hope this old little snippet helps someone :)

alias port80="sudo ifconfig lo0 127.0.0.1 alias
echo \"rdr pass on lo0 inet proto tcp from any to 127.0.0.1 port 80 -> 127.0.0.1 port 8080\" | sudo pfctl -ef -"

To revert the mappings back to their original state, just empty the file.

sudo pfctl -f /etc/pf.conf

Same for 443

@AkihiroSuda AkihiroSuda modified the milestones: v0.6.0, v0.7.0 Jul 31, 2021
@AkihiroSuda AkihiroSuda mentioned this issue Sep 21, 2021
Merged
@AkihiroSuda AkihiroSuda mentioned this issue Oct 1, 2021
Merged
@AkihiroSuda
Copy link
Member Author

PR: #283

@werediver werediver mentioned this issue Jan 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request priority/high
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging a pull request may close this issue.

Support port forwarding for privileged ports (1-1023) AkihiroSuda/lima-vm-lima
3 participants
@jandubois @AkihiroSuda @markomitranic