From owner-freebsd-bugs Fri May 2 12:37:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA18356 for bugs-outgoing; Fri, 2 May 1997 12:37:41 -0700 (PDT) Received: from hot.ee.lbl.gov (hot.ee.lbl.gov [131.243.1.42]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA18350 for ; Fri, 2 May 1997 12:37:40 -0700 (PDT) Received: by hot.ee.lbl.gov (8.8.5/1.43r) id MAA17182; Fri, 2 May 1997 12:37:39 -0700 (PDT) Message-Id: <199705021937.MAA17182@hot.ee.lbl.gov> To: bugs@freebsd.org Subject: reserved port behavior change Date: Fri, 02 May 1997 12:37:39 PDT From: Craig Leres Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At some point between 2.2 and 2.2.1, the last reserved port used by in_pcbbind() was changed from 512 to 600. The reason I noticed this is because the kernel shell port is 544 and all my kerberos kshell applications stopped working. Although I don't want to install them suid to root, this makes some of them work. There's a comment that says something about 512 not being good for firewalls. All other versions of Unix I'm aware uses 512 and making this change to freebsd means that there will be some applications that work everywhere but under freebsd. I suspect even firewall packages will have to know the difference between new freebsd, old freebsd and everybody else. This change doesn't seem like a good idea at all... Especially since the value can be changed with sysctl; which means the minority of the freebsd population that run firewalls and need to have the last reserved port be higher than 512 can change it. But changing the default from its historic value is a mistake. Craig ------ *************** *** 174,191 **** ushort first, last; int count; if (inp->inp_flags & INP_HIGHPORT) { first = ipport_hifirstauto; /* sysctl */ last = ipport_hilastauto; } else if (inp->inp_flags & INP_LOWPORT) { if (error = suser(p->p_ucred, &p->p_acflag)) return (EACCES); ! first = IPPORT_RESERVED - 1; /* 1023 */ ! last = IPPORT_RESERVED / 2; /* traditional - 512 */ ! *lastport = first; /* restart each time */ } else { first = ipport_firstauto; /* sysctl */ last = ipport_lastauto; } /* * Simple check to ensure all ports are not used up causing --- 201,222 ---- ushort first, last; int count; + inp->inp_flags |= INP_ANONPORT; + if (inp->inp_flags & INP_HIGHPORT) { first = ipport_hifirstauto; /* sysctl */ last = ipport_hilastauto; + lastport = &inp->inp_pcbinfo->lasthi; } else if (inp->inp_flags & INP_LOWPORT) { if (error = suser(p->p_ucred, &p->p_acflag)) return (EACCES); ! first = ipport_lowfirstauto; /* 1023 */ ! last = ipport_lowlastauto; /* 600 */ ! lastport = &inp->inp_pcbinfo->lastlow; } else { first = ipport_firstauto; /* sysctl */ last = ipport_lastauto; + lastport = &inp->inp_pcbinfo->lastport; } /* * Simple check to ensure all ports are not used up causing