Date: Fri, 13 May 2005 09:00:57 -0600 (MDT) From: Matt Ruzicka <matt@frii.com> To: Mike Silbersack <silby@silby.com> Cc: freebsd-net@freebsd.org Subject: Re: **net** Re: Outbound TCP issue, potentially related to'FreeBSD-SA-05:08.kmem [REVISED]' Message-ID: <Pine.BSF.4.58.0505130850280.66727@elara.frii.com> In-Reply-To: <20050512192936.V730@odysseus.silby.com> References: <Pine.BSF.4.58.0505121627400.66727@elara.frii.com> <20050512192936.V730@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
So reading up on this here: http://www.freebsd.se/cgi-bin/man.cgi?section=4&topic=ip "Ports are allocated at random within the specified port range in order to increase the difficulty of random spoofing attacks. In scenarios such as benchmarking, this behavior may be undesirable. In these cases, net.inet.ip.portrange.randomized can be used to toggle randomization off. If more than net.inet.ip.portrange.randomcps ports have been allocated in the last second, then return to sequential port allocation. Return to random allocation only once the current port allocation rate drops below net.inet.ip.portrange.randomcps for at least net.inet.ip.portrange.randomtime seconds. The default values for net.inet.ip.portrange.randomcps and net.inet.ip.portrange.randomtime are 10 port allocations per second and 45 seconds correspondingly." I'm curious it I want to give up the potential security benefits of the randomization. Is it worth instead looking at the possibility of tuning my net.inet.ip.portrange.randomcps? Or is disabling it all together just a first step to determine if this might be my problem. Here are my values at the moment. net.inet.ip.portrange.lowfirst: 1023 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.first: 1024 net.inet.ip.portrange.last: 5000 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomtime: 45 Although I'm not familiar with what this /should/ be, my guts says 10 seems sort of low. Also, was this only implemented in 4.11? (Since we started seeing this while running 4.9 still.) http://www.freebsd.org/releases/4.11R/relnotes-i386.html We'll give this a shot though to see if it helps either way. Thank you for the suggestion. Matthew Ruzicka - Systems Administrator Front Range Internet, Inc. matt@frii.net - (970) 212-0728 Got SPAM? Take back your email with MailArmory. http://www.MailArmory.com On Thu, 12 May 2005, Mike Silbersack wrote: > > On Thu, 12 May 2005, Matt Ruzicka wrote: > > > A couple days after we patched our systems, we started to receive a number > > of reports of mysql connection errors when our patched FreeBSD 4.9 web > > servers were trying to connect to our mysql server, which lives on a > > separate FreeBSD machine. > > Although you just saw this behavior now, it sounds like you're describing > a problem that sometimes occurs due to port randomization. Can you try > setting sysctl net.inet.ip.portrange.randomized=0 to see if that affects > anything? > > Mike "Silby" Silbersack > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.58.0505130850280.66727>