Date: Mon, 12 Feb 2007 10:42:00 -0800 From: Chuck Swiger <cswiger@mac.com> To: Fernando Gont <fernando@gont.com.ar> Cc: freebsd-net@freebsd.org Subject: Re: Ephemeral port selection Message-ID: <1A3700B3-A649-419C-A5A4-FE181DE2D682@mac.com> In-Reply-To: <200702121516.l1CFGHMX002994@venus.xmundo.net> References: <200702121516.l1CFGHMX002994@venus.xmundo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 12, 2007, at 7:16 AM, Fernando Gont wrote: > Looking at FreeBSD's TCP implementation, I see that by default, > ephemeral ports are selected from the range 49152-65535. This means > that only 15K ports out of the available 65K port range are used > for ephemeral port selection. You can change the following sysctl's: net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 ...to adjust the range of ephemeral port #'s. I assume you're familiar with the IANA document on port # ranges here: http://www.iana.org/assignments/port-numbers It's likely to be the case that you could use a larger range (starting from 32K or even 10K) without bothering anything significant, but it's not really apparent to me that doubling or tripling the range of the available ephemeral ports is going to help significantly except for unusual cases. How many machines really need to have more than 15K open connections outstanding and where the other parts of the connection tuple (srcIP, srcPort, dstIP, dstPort) do not vary? > We have also been working on an alternative port randomization > scheme, that would help to avoid the problems described in Mike's > presentation. A better mechanism for allocating random ephemeral ports would certainly be valuable. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1A3700B3-A649-419C-A5A4-FE181DE2D682>