From owner-freebsd-net  Tue Oct 22  8:39: 6 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9E6BD37B401
	for <freebsd-net@freebsd.org>; Tue, 22 Oct 2002 08:39:05 -0700 (PDT)
Received: from out2.mx.nwbl.wi.voyager.net (out2.mx.nwbl.wi.voyager.net [169.207.3.120])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 477E343E6A
	for <freebsd-net@freebsd.org>; Tue, 22 Oct 2002 08:39:05 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: from [10.1.1.6] (d99.as4.nwbl0.wi.voyager.net [169.207.137.99])
	by out2.mx.nwbl.wi.voyager.net (Postfix) with ESMTP
	id BD034282FA; Tue, 22 Oct 2002 10:38:54 -0500 (CDT)
Date: Tue, 22 Oct 2002 10:43:36 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: "Marc G. Fournier" <scrappy@hub.org>
Cc: freebsd-net@freebsd.org
Subject: Re: dest vs source ports ...
In-Reply-To: <20021022113147.X47756-100000@hub.org>
Message-ID: <20021022104052.D3313-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


On Tue, 22 Oct 2002, Marc G. Fournier wrote:

> Just a quick question ... how does the OS determine the 'source port' when
> connecting to a remote site?  is it reasonably safe to assume that the
> lower of the two ports is the dest port?  for instance, if I try to telnet
> to a remote site where the remote site is running a service on port 6667,
> is it a pretty safe bet that FreeBSD will pick a port >6667 to go out on?
> or is there an equal chance of it being lower?

The ephemeral port range used for source ports on outbound connects is
controllable through sysctl:

net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535

And different between -stable and -current.  (-stable uses the values 1024
through 5000.)

Note also that there is a hifirst->hilast range as well, which is used by
ftp and some other apps.

You would be very wise to not create any firewall rules which depended on
there being any relation between the ephemeral ports and whatever you are
connecting to.

(In addition, there's nothing stopping a program from picking a port
1024 < x < 65535 of its own choosing.)

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message