When you run a network management application it is sometimes required to bind your Syslog or SNMP trap receiver to privileged ports i.e. 162/UDP for SNMP traps or 514/UDP for Syslog messages. This article describes two ways especially when you run processes as an unprivileged user.
Port numbers from 1 to 1023 are restricted for root users and require specific permissions. We describe here different ways how to deal with this scenario.
Method 1: Forwarding from a privileged to a non-privileged port
If you have a process like a Minion or a Core service instance running with a non-root user you can use your local firewall to forward network packets from a privileged port to a non-privileged port. The example below shows this configuration for Syslog and SNMP traps.
Forward 514 to 1514 with Firewalld
# enable masquerade to allow port-forwards firewall-cmd --add-masquerade # forward port 162 TCP and UDP to port 1162 on localhost firewall-cmd --add-forward-port=port=514:proto=udp:toport=1514:toaddr=127.0.0.1 firewall-cmd --add-forward-port=port=514:proto=tcp:toport=1514:toaddr=127.0.0.1
Forward 162 to 1162 with Firewalld
# enable masquerade to allow port-forwards firewall-cmd --add-masquerade # forward port 162 TCP and UDP to port 1162 on localhost firewall-cmd --add-forward-port=port=162:proto=udp:toport=1162:toaddr=127.0.0.1 firewall-cmd --add-forward-port=port=162:proto=tcp:toport=1162:toaddr=127.0.0.1
This method does not require assigning additional permissions to the running process. The process can expose an unprivileged just on localhost.
Method 2: Allow the process to bind on privileged ports
You can allow a certain process to bind on privileged ports using the set capabilities application (
setcap) in Linux. The permissions can be assigned to any binary with the following command:
sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary
If you a Java application running like OpenNMS Horizon Core or a Minion, you have to assign the permissions to your
java binary the OpenNMS components run with.
You can fix me, I’m a wiki post.