Is authbind or privbind a good alternative? it probably has the same effect of setcap but with a little more security.

It seems the best choice is iptables.



Jorge Solórzano
http://www.jorsol.com

On Fri, Jan 16, 2015 at 9:31 PM, Jason T. Greene <jason.greene@redhat.com> wrote:

> On Jan 16, 2015, at 5:37 PM, denstar <valliantster@gmail.com> wrote:
>
> On 01/16/2015 04:19 PM, Jason Greene wrote:
> ...
> [snip helpful example rules]
>>
>> B. Using setcap to grant perms for java to bind lower ports:
>
> FWIW, this would open things up for Java in general, so while it should
> perform better, it'll also be a little more risky, which may or may not
> be a concern.

Right all Java code using this JVM would have access to binding *all ports* (e.g a Java program could bind say the ssh port (assuming it's not running) and sniff passwords). So it would be a good idea to have a dedicated JVM just for WildFly and to limit the execution permission to just a dedicated WildFly user. That way you ensure only the wildfly process can bind these ports.

Alternatively, you could use something like docker which automates capability assignment and provides some extra isolation. It's overkill though if the only thing running on a box is a wildfly process.

Just a note that you will still get fantastic performance with iptables port forwarding since the particular rule is completely stateless, and the action is just to modify the packet in memory. It's only extreme scenarios where that overhead is worth avoiding.

-Jason