How to deal with privileged ports (< 1024) for network management functions

When you run a network management application it is sometimes required to bind your Syslog or SNMP trap receiver to privileged ports i.e. 162/UDP for SNMP traps or 514/UDP for Syslog messages. This article describes two ways especially when you run processes as an unprivileged user.

Port numbers from 1 to 1023 are restricted for root users and require specific permissions. We describe here different ways how to deal with this scenario.

Method 1: Forwarding from a privileged to a non-privileged port

If you have a process like a Minion or a Core service instance running with a non-root user you can use your local firewall to forward network packets from a privileged port to a non-privileged port. The example below shows this configuration for Syslog and SNMP traps.

Forward 514 to 1514 with Firewalld

# enable masquerade to allow port-forwards
firewall-cmd --add-masquerade

# forward port 162 TCP and UDP to port 1162 on localhost
firewall-cmd --add-forward-port=port=514:proto=udp:toport=1514:toaddr=127.0.0.1
firewall-cmd --add-forward-port=port=514:proto=tcp:toport=1514:toaddr=127.0.0.1

Forward 162 to 1162 with Firewalld

# enable masquerade to allow port-forwards
firewall-cmd --add-masquerade

# forward port 162 TCP and UDP to port 1162 on localhost
firewall-cmd --add-forward-port=port=162:proto=udp:toport=1162:toaddr=127.0.0.1
firewall-cmd --add-forward-port=port=162:proto=tcp:toport=1162:toaddr=127.0.0.1

This method does not require assigning additional permissions to the running process. The process can expose an unprivileged just on localhost.

Method 2: Allow the process to bind on privileged ports

You can allow a certain process to bind on privileged ports using the set capabilities application (setcap) in Linux. The permissions can be assigned to any binary with the following command:

sudo setcap CAP_NET_BIND_SERVICE=+ep /path/to/binary

If you a Java application running like OpenNMS Horizon Core or a Minion, you have to assign the permissions to your java binary the OpenNMS components run with.


:woman_facepalming: You can fix me, Iā€™m a wiki post.

1 Like