From owner-freebsd-net@FreeBSD.ORG Mon Feb 12 18:42:05 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E27116A469 for ; Mon, 12 Feb 2007 18:42:05 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 8B5EC13C4B6 for ; Mon, 12 Feb 2007 18:42:05 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay5.apple.com (a17-128-113-35.apple.com [17.128.113.35]) by mail-out3.apple.com (8.13.8/8.13.8) with ESMTP id l1CIg5Tw001356; Mon, 12 Feb 2007 10:42:05 -0800 (PST) Received: from relay5.apple.com (unknown [127.0.0.1]) by relay5.apple.com (Symantec Mail Security) with ESMTP id 5A18929C004; Mon, 12 Feb 2007 10:42:05 -0800 (PST) X-AuditID: 11807123-9fbb8bb000000a1d-64-45d0b4fd2d06 In-Reply-To: <200702121516.l1CFGHMX002994@venus.xmundo.net> References: <200702121516.l1CFGHMX002994@venus.xmundo.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <1A3700B3-A649-419C-A5A4-FE181DE2D682@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 12 Feb 2007 10:42:00 -0800 To: Fernando Gont X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-net@freebsd.org Subject: Re: Ephemeral port selection X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Feb 2007 18:42:05 -0000 On Feb 12, 2007, at 7:16 AM, Fernando Gont wrote: > Looking at FreeBSD's TCP implementation, I see that by default, > ephemeral ports are selected from the range 49152-65535. This means > that only 15K ports out of the available 65K port range are used > for ephemeral port selection. You can change the following sysctl's: net.inet.ip.portrange.first: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 ...to adjust the range of ephemeral port #'s. I assume you're familiar with the IANA document on port # ranges here: http://www.iana.org/assignments/port-numbers It's likely to be the case that you could use a larger range (starting from 32K or even 10K) without bothering anything significant, but it's not really apparent to me that doubling or tripling the range of the available ephemeral ports is going to help significantly except for unusual cases. How many machines really need to have more than 15K open connections outstanding and where the other parts of the connection tuple (srcIP, srcPort, dstIP, dstPort) do not vary? > We have also been working on an alternative port randomization > scheme, that would help to avoid the problems described in Mike's > presentation. A better mechanism for allocating random ephemeral ports would certainly be valuable. -- -Chuck