From owner-freebsd-hackers@FreeBSD.ORG Mon Sep 5 15:26:38 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64901106564A for ; Mon, 5 Sep 2011 15:26:38 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id CE2478FC18 for ; Mon, 5 Sep 2011 15:26:37 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p85FBo9r029718 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Mon, 5 Sep 2011 17:11:50 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p85FBlvw019231; Mon, 5 Sep 2011 17:11:47 +0200 (MEST) Date: Mon, 5 Sep 2011 17:11:46 +0200 From: Daniel Hartmeier To: petz@nisshoko.net Message-ID: <20110905151146.GA10185@insomnia.benzedrine.cx> References: <007301cc6979$a690f9a0$f3b2ece0$@internode.on.net> <4E616D6E.4030903@FreeBSD.org> <001701cc69d3$aea9a0b0$0bfce210$@internode.on.net> <4E61BA37.2060204@FreeBSD.org> <20110903134634.GA55652@owl.midgard.homeip.net> <4E62B99C.6020707@FreeBSD.org> <001e01cc6a9d$8e62c870$ab285950$@internode.on.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <001e01cc6a9d$8e62c870$ab285950$@internode.on.net> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-hackers@freebsd.org Subject: Re: TIME_WAIT Assassination in FreeBSD??? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Sep 2011 15:26:38 -0000 In FreeBSD, the ftp client allocates the port for an active-mode data connection by calling bind(2) with so_port set to 0, which means it lets the kernel pick a port, see http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/lukemftp/src/Attic/ftp.c?rev=1.1.1.8;content-type=text%2Fplain;hideattic=0 The kernel code where the port is picked is in function in_pcb_lport(), see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_pcb.c?rev=1.281;content-type=text%2Fplain Basically, there is a range of ports (49152-65535, adjustable with sysctl), and the algorithm picks a random port within that range: if (dorandom) *lastport = first + (arc4random() % (last - first)); It checks whether that port is available. If not, it increments it by one, and tries again, etc. in a loop, until it finds one. So, for your case, it is unlikely that two subsequent bind() calls from the ftp client would result in the same port being picked randomly, unless a large part of the port range is unavailable. You can get port re-use that is quick enough to confuse pf, for instance, by opening new connections (to the same destination address and port) at a high rate, e.g. when running the Apache web server benchmark tool. But if you're simply running the ftp client on an otherwise idle host, and two subsequent bind() calls get assigned the same 'random' port, I'd say the port randomization is not working properly :) HTH, Daniel