Date: Thu, 30 Nov 2017 16:25:52 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-doc@FreeBSD.org Subject: [Bug 223997] FreeBSD Handbook Section 11.11 Guidelines on net.inet.ip.portrange obselete Message-ID: <bug-223997-9@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223997 Bug ID: 223997 Summary: FreeBSD Handbook Section 11.11 Guidelines on net.inet.ip.portrange obselete Product: Documentation Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Documentation Assignee: freebsd-doc@FreeBSD.org Reporter: vmiller@hostileadmin.com The FreeBSD Handbook[1] had this to say regarding net.inet.ip.portrange.* sysctl variables: =E2=80=9CThe net.inet.ip.portrange.* sysctl(8) variables control the port n= umber ranges automatically bound to TCP and UDP sockets. There are three ranges: a low range, a default range, and a high range. Most network programs use the def= ault range which is controlled by net.inet.ip.portrange.first and net.inet.ip.portrange.last, which default to 1024 and 5000, respectively. B= ound port ranges are used for outgoing connections and it is possible to run the system out of ports under certain circumstances. This most commonly occurs = when running a heavily loaded web proxy. The port range is not an issue when run= ning a server which handles mainly incoming connections, such as a web server, or has a limited number of outgoing connections, such as a mail relay. For situations where there is a shortage of ports, it is recommended to increase net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may be reasonable. Consider firewall effects when changing the port range. Some firewalls may block large ranges of ports, usually low-numbered ports, and expect systems to use higher ranges of ports for outgoing connections. For = this reason, it is not recommended that the value of net.inet.ip.portrange.first= be lowered.=E2=80=9D FreeBSD 11.1 deploys values contrary to those above: # uname -sr FreeBSD 11.1-STABLE # sysctl net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 10000 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 A commit in March 2008[2] sets net.inet.ip.portrange.first and last to 10000 and 65535 respectively. It=E2=80=99s apparently obvious The FreeBSD Handboo= k includes obsolete guidelines. This raises the question =E2=80=9Chow does this change= the advice given in The Handbook?=E2=80=9D Can The Handbook be updated to reflect modern guidelines surrounding using these kernel tunables? [1] https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html [2] https://svnweb.freebsd.org/base/stable/11/sys/netinet/in.h?revision=3D17680= 5&view=3Dmarkup --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-223997-9>