From owner-freebsd-net@FreeBSD.ORG  Sun Mar  2 13:43:12 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B3A08106566C
	for <freebsd-net@freebsd.org>; Sun,  2 Mar 2008 13:43:12 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 8DC298FC1F
	for <freebsd-net@freebsd.org>; Sun,  2 Mar 2008 13:43:12 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id AADE346BBF;
	Sun,  2 Mar 2008 08:27:32 -0500 (EST)
Date: Sun, 2 Mar 2008 13:27:32 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Mike Silbersack <silby@silby.com>
In-Reply-To: <20080301142538.L29763@odysseus.silby.com>
Message-ID: <20080302132610.E10502@fledge.watson.org>
References: <200803011338.m21DcY9Z026418@venus.xmundo.net>
	<20080301142538.L29763@odysseus.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Rui Paulo <rpaulo@fnop.net>, freebsd-net@freebsd.org
Subject: Re: Ephemeral port range (patch)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Mar 2008 13:43:12 -0000

On Sat, 1 Mar 2008, Mike Silbersack wrote:

> On Sat, 1 Mar 2008, Fernando Gont wrote:
>
>> This patch changes the default ephemeral port range from 49152-65535 to 
>> 1024-65535. This makes it harder for an attacker to guess the ephemeral 
>> ports (as the port number space is larger). Also, it makes the chances of 
>> port number collisions smaller. 
>> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
>
> There are a number of commonly used ports above 1000, such as nfs and x11. I 
> think OpenBSD uses 10000-65535, maybe that's a safer choice to go with.

In order to get acceptable open connection counts with 10gbps ethernet, I've 
needed to run with a significantly lower starting portrange.  In practice, the 
following seems to do the trick for me:

   sysctl net.inet.ip.portrange.first=10000

Of course, I only run into this if I also increase maxsockets:

   sysctl kern.ipc.maxsockets=30000

Lowering the lower end of the ephemeral range to 10,000 would do the trick for 
me, anyway.

Robert N M Watson
Computer Laboratory
University of Cambridge