Date: Sun, 2 Mar 2008 13:27:32 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Mike Silbersack <silby@silby.com> Cc: Rui Paulo <rpaulo@fnop.net>, freebsd-net@freebsd.org Subject: Re: Ephemeral port range (patch) Message-ID: <20080302132610.E10502@fledge.watson.org> In-Reply-To: <20080301142538.L29763@odysseus.silby.com> References: <200803011338.m21DcY9Z026418@venus.xmundo.net> <20080301142538.L29763@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 Mar 2008, Mike Silbersack wrote: > On Sat, 1 Mar 2008, Fernando Gont wrote: > >> This patch changes the default ephemeral port range from 49152-65535 to >> 1024-65535. This makes it harder for an attacker to guess the ephemeral >> ports (as the port number space is larger). Also, it makes the chances of >> port number collisions smaller. >> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt) > > There are a number of commonly used ports above 1000, such as nfs and x11. I > think OpenBSD uses 10000-65535, maybe that's a safer choice to go with. In order to get acceptable open connection counts with 10gbps ethernet, I've needed to run with a significantly lower starting portrange. In practice, the following seems to do the trick for me: sysctl net.inet.ip.portrange.first=10000 Of course, I only run into this if I also increase maxsockets: sysctl kern.ipc.maxsockets=30000 Lowering the lower end of the ephemeral range to 10,000 would do the trick for me, anyway. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080302132610.E10502>