Date: Mon, 20 Apr 1998 10:41:38 +0800 From: Peter Wemm <peter@netplex.com.au> To: Poul-Henning Kamp <phk@critter.freebsd.dk> Cc: dg@root.com, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet in.h in_pcb.c Message-ID: <199804200241.KAA04886@spinner.netplex.com.au> In-Reply-To: Your message of "Sun, 19 Apr 1998 21:45:18 %2B0200." <14247.893015118@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote: > In message <199804191939.MAA04230@implode.root.com>, David Greenman writes: > >>phk 1998/04/19 10:22:36 PDT > >> > >> Modified files: > >> sys/netinet in.h in_pcb.c > >> Log: > >> According to: > >> > >> ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers > >> > >> port numbers are divided into three ranges: > >> > >> 0 - 1023 Well Known Ports > >> 1024 - 49151 Registered Ports > >> 49152 - 65535 Dynamic and/or Private Ports > >> > >> This patch changes the "local port range" from 40000-44999 > >> to the range shown above (plus fix the comment in in_pcb.c). > >> > >> WARNING: This may have an impact on firewall configurations! > > > > This should not have been committed. There was extensive discussion about > >this and the change was rejected. > > Well, too bad there were not one single line of this discussion in > the PR :-( When gnats sends out a 'the following email has been recorded', it puts a return address of 'freebsd-bugs' rather than a 'freebsd-gnats-submit' like it does elsewhere. This means that if people reply to the followup, it isn't recorded anywhere. > Can you give a brief summary ? As I understand things, the main problems are the dynamically assigned ports of things like rpc servers. The 1024 -> 5000 range ends up with things like rpc servers and other deadly things and these are accessible including bypassing portmap etc. The 40000 -> 44999 "space" was (as I understand it) a defacto kludge to get the ftp ports into the 5-digit area so that they could be 1) explicitly allowed through firewalls and 2) they could be transparently proxied (the ascii ports need rewriting) without recalculating the tcp sequence numbers. I note that you have not changed the default dynamic range, it's still in the 1024 -> 5000 area (which removes my immediate concerns). I have less of a problem with moving the 40000-44999 area as it's not going to cause security problems, it's just going to cut people off in those firewall configurations. Moving all those silent listeners up into the 49K+ area is going to cause blood-letting. Moving the dynamic assigned range to 49152 -> 65535 in overlapping with the high-port range would defeat the entire purpose of the split as it'd be impossible to safely tell the difference at a firewall between transient/ dynamic servers (eg: rpc servers) and intentional servers such as the ftp clients waiting for a back-connection. The high portrange stuff is for things like ftp clients that can say 'give me a port that I can listen on that the firewall will let outsiders connect to'. Incidently, all this is irrelevant if you're not behind a firewall, in which case you can use whatever ports you like. (I use 20000-30000 for dynamic ports and 40000-44999 for high ports personally). > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > "Drink MONO-tonic, it goes down but it will NEVER come back up!" > Cheers, -Peter -- Peter Wemm <peter@netplex.com.au> Netplex Consulting
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804200241.KAA04886>