From owner-cvs-sys Sun Apr 19 19:45:00 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA17663 for cvs-sys-outgoing; Sun, 19 Apr 1998 19:45:00 -0700 (PDT) (envelope-from owner-cvs-sys) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17474; Mon, 20 Apr 1998 02:44:25 GMT (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.8.8/8.8.8/Spinner) with ESMTP id KAA04886; Mon, 20 Apr 1998 10:41:39 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199804200241.KAA04886@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: Poul-Henning Kamp cc: dg@root.com, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-sys@FreeBSD.ORG Subject: Re: cvs commit: src/sys/netinet in.h in_pcb.c In-reply-to: Your message of "Sun, 19 Apr 1998 21:45:18 +0200." <14247.893015118@critter.freebsd.dk> Date: Mon, 20 Apr 1998 10:41:38 +0800 From: Peter Wemm Sender: owner-cvs-sys@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Poul-Henning Kamp wrote: > In message <199804191939.MAA04230@implode.root.com>, David Greenman writes: > >>phk 1998/04/19 10:22:36 PDT > >> > >> Modified files: > >> sys/netinet in.h in_pcb.c > >> Log: > >> According to: > >> > >> ftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers > >> > >> port numbers are divided into three ranges: > >> > >> 0 - 1023 Well Known Ports > >> 1024 - 49151 Registered Ports > >> 49152 - 65535 Dynamic and/or Private Ports > >> > >> This patch changes the "local port range" from 40000-44999 > >> to the range shown above (plus fix the comment in in_pcb.c). > >> > >> WARNING: This may have an impact on firewall configurations! > > > > This should not have been committed. There was extensive discussion about > >this and the change was rejected. > > Well, too bad there were not one single line of this discussion in > the PR :-( When gnats sends out a 'the following email has been recorded', it puts a return address of 'freebsd-bugs' rather than a 'freebsd-gnats-submit' like it does elsewhere. This means that if people reply to the followup, it isn't recorded anywhere. > Can you give a brief summary ? As I understand things, the main problems are the dynamically assigned ports of things like rpc servers. The 1024 -> 5000 range ends up with things like rpc servers and other deadly things and these are accessible including bypassing portmap etc. The 40000 -> 44999 "space" was (as I understand it) a defacto kludge to get the ftp ports into the 5-digit area so that they could be 1) explicitly allowed through firewalls and 2) they could be transparently proxied (the ascii ports need rewriting) without recalculating the tcp sequence numbers. I note that you have not changed the default dynamic range, it's still in the 1024 -> 5000 area (which removes my immediate concerns). I have less of a problem with moving the 40000-44999 area as it's not going to cause security problems, it's just going to cut people off in those firewall configurations. Moving all those silent listeners up into the 49K+ area is going to cause blood-letting. Moving the dynamic assigned range to 49152 -> 65535 in overlapping with the high-port range would defeat the entire purpose of the split as it'd be impossible to safely tell the difference at a firewall between transient/ dynamic servers (eg: rpc servers) and intentional servers such as the ftp clients waiting for a back-connection. The high portrange stuff is for things like ftp clients that can say 'give me a port that I can listen on that the firewall will let outsiders connect to'. Incidently, all this is irrelevant if you're not behind a firewall, in which case you can use whatever ports you like. (I use 20000-30000 for dynamic ports and 40000-44999 for high ports personally). > -- > Poul-Henning Kamp FreeBSD coreteam member > phk@FreeBSD.ORG "Real hackers run -current on their laptop." > "Drink MONO-tonic, it goes down but it will NEVER come back up!" > Cheers, -Peter -- Peter Wemm Netplex Consulting