Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Apr 1998 10:41:38 +0800
From:      Peter Wemm <peter@netplex.com.au>
To:        Poul-Henning Kamp <phk@critter.freebsd.dk>
Cc:        dg@root.com, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG
Subject:   Re: cvs commit: src/sys/netinet in.h in_pcb.c 
Message-ID:  <199804200241.KAA04886@spinner.netplex.com.au>
In-Reply-To: Your message of "Sun, 19 Apr 1998 21:45:18 %2B0200." <14247.893015118@critter.freebsd.dk> 

next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp wrote:
> In message <199804191939.MAA04230@implode.root.com>, David Greenman writes:
> >>phk         1998/04/19 10:22:36 PDT
> >>
> >>  Modified files:
> >>    sys/netinet          in.h in_pcb.c 
> >>  Log:
> >>  According to:
> >>  
> >>  	ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers
> >>  
> >>  port numbers are divided into three ranges:
> >>  
> >>  	    0 -  1023 Well Known Ports
> >>  	 1024 - 49151 Registered Ports
> >>  	49152 - 65535 Dynamic and/or Private Ports
> >>  
> >>  This patch changes the "local port range" from 40000-44999
> >>  to the range shown above (plus fix the comment in in_pcb.c).
> >>  
> >>  WARNING: This may have an impact on firewall configurations!
> >
> >   This should not have been committed. There was extensive discussion about
> >this and the change was rejected.
> 
> Well, too bad there were not one single line of this discussion in
> the PR :-(

When gnats sends out a 'the following email has been recorded', it puts a 
return address of 'freebsd-bugs' rather than a 'freebsd-gnats-submit' like 
it does elsewhere.  This means that if people reply to the followup, it 
isn't recorded anywhere.

> Can you give a brief summary ?

As I understand things, the main problems are the dynamically assigned 
ports of things like rpc servers.  The 1024 -> 5000 range ends up with 
things like rpc servers and other deadly things and these are accessible 
including bypassing portmap etc.

The 40000 -> 44999 "space" was (as I understand it) a defacto kludge to 
get the ftp ports into the 5-digit area so that they could be 1) 
explicitly allowed through firewalls and 2) they could be transparently 
proxied (the ascii ports need rewriting) without recalculating the tcp 
sequence numbers.

I note that you have not changed the default dynamic range, it's still in
the 1024 -> 5000 area (which removes my immediate concerns).  I have less
of a problem with moving the 40000-44999 area as it's not going to cause
security problems, it's just going to cut people off in those firewall
configurations.  Moving all those silent listeners up into the 49K+ area is
going to cause blood-letting.

Moving the dynamic assigned range to 49152 -> 65535 in overlapping with the
high-port range would defeat the entire purpose of the split as it'd be
impossible to safely tell the difference at a firewall between transient/
dynamic servers (eg: rpc servers) and intentional servers such as the ftp
clients waiting for a back-connection.  The high portrange stuff is for 
things like ftp clients that can say 'give me a port that I can listen on 
that the firewall will let outsiders connect to'.

Incidently, all this is irrelevant if you're not behind a firewall, in 
which case you can use whatever ports you like.  (I use 20000-30000 for 
dynamic ports and 40000-44999 for high ports personally).

> --
> Poul-Henning Kamp             FreeBSD coreteam member
> phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
> "Drink MONO-tonic, it goes down but it will NEVER come back up!"
> 

Cheers,
-Peter
--
Peter Wemm <peter@netplex.com.au>   Netplex Consulting





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804200241.KAA04886>