Hello.
I was doing experiments with the sandboxing in FreeBSD and I executed
nginx sandboxed (in sandbox for FreeBSD) and I noticed that sandbox
blocked 2 outbound datagrams from nginx (uid:root) process.
Jun 17 00:26:02 ** sandboxd[49377]: action: deny for pid[30392]nginx
uid:0 procedure: network-outbound[90] network outbound remote
udp/ip4:65.158.94.185:1
Jun 17 00:26:02 ** sandboxd[49377]: action: deny for pid[30392]nginx
uid:0 procedure: network-outbound[90] network outbound remote
udp/ip4:65.158.94.168:1
Jun 17 01:17:03 ** sandboxd[49377]: action: deny for pid[61454]nginx
uid:0 procedure: network-outbound[90] network outbound remote
udp/ip4:205.197.140.171:1
Jun 17 01:17:03 ** sandboxd[49377]: action: deny for pid[61454]nginx
uid:0 procedure: network-outbound[90] network outbound remote
udp/ip4:205.197.140.178:1
Jun 17 01:24:11 ** sandboxd[49377]: action: deny for pid[11326]nginx
uid:0 procedure: network-outbound[90] network outbound remote
udp/ip4:80.239.148.73:1
Jun 17 01:24:11 ** sandboxd[49377]: action: deny for pid[11326]nginx
uid:0 procedure: network-outbound[90] network outbound remote
udp/ip4:80.239.148.95:1
I can not find any information about this addresses except from whois.
For which purpose outgoing UDP/1 is used?
The nginx was built from ports with the following config:
===> The following configuration options are available for
nginx-1.14.0_4,2:
DEBUG=off: Build with debugging support
DEBUGLOG=off: Enable debug log (--with-debug)
DSO=on: Enable dynamic modules support
FILE_AIO=on: Enable file aio
IPV6=on: Enable IPv6 support
THREADS=on: Enable threads support
WWW=on: Enable html sample files
====> Modules that require MAIL module
MAIL=off: Enable IMAP4/POP3/SMTP proxy module
MAIL_IMAP=off: Enable IMAP4 proxy module
MAIL_POP3=off: Enable POP3 proxy module
MAIL_SMTP=off: Enable SMTP proxy module
MAIL_SSL=off: Enable mail_ssl module
====> Modules that require HTTP module
GOOGLE_PERFTOOLS=off: Enable google perftools module
HTTP=on: Enable HTTP module
HTTP_ADDITION=on: Enable http_addition module
HTTP_AUTH_REQ=on: Enable http_auth_request module
HTTP_CACHE=on: Enable http_cache module
HTTP_DAV=on: Enable http_webdav module
HTTP_FLV=off: Enable http_flv module
HTTP_GEOIP=on: Enable http_geoip module
HTTP_GUNZIP_FILTER=on: Enable http_gunzip_filter module
HTTP_GZIP_STATIC=on: Enable http_gzip_static module
HTTP_IMAGE_FILTER=off: Enable http_image_filter module
HTTP_MP4=off: Enable http_mp4 module
HTTP_PERL=off: Enable http_perl module
HTTP_RANDOM_INDEX=off: Enable http_random_index module
HTTP_REALIP=on: Enable http_realip module
HTTP_REWRITE=on: Enable http_rewrite module
HTTP_SECURE_LINK=on: Enable http_secure_link module
HTTP_SLICE=on: Enable http_slice module
HTTP_SSL=on: Enable http_ssl module
HTTP_STATUS=on: Enable http_stub_status module
HTTP_SUB=on: Enable http_sub module
HTTP_XSLT=off: Enable http_xslt module
HTTPV2=on: Enable HTTP/2 protocol support (SSL req.)
STREAM=on: Enable stream module
STREAM_SSL=on: Enable stream_ssl module (SSL req.)
STREAM_SSL_PREREAD=on: Enable stream_ssl_preread module (SSL req.)
AJP=off: 3rd party ajp module
AWS_AUTH=off: 3rd party aws auth module
BROTLI=off: 3rd party brotli module
CACHE_PURGE=on: 3rd party cache_purge module
CLOJURE=off: 3rd party clojure module
CT=off: 3rd party cert_transparency module (SSL req.)
DEVEL_KIT=on: 3rd party Nginx Development Kit module
ARRAYVAR=off: 3rd party array_var module
DRIZZLE=off: 3rd party drizzle module
DYNAMIC_UPSTREAM=off: 3rd party dynamic_upstream module
ECHO=off: 3rd party echo module
ENCRYPTSESSION=off: 3rd party encrypted_session module
FASTDFS=off: 3rd party fastdfs module
--
Kind Regards,
Alexander Morozov
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
