From owner-freebsd-doc@freebsd.org Thu Nov 30 19:37:35 2017 Return-Path: Delivered-To: freebsd-doc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 448FCE69C24; Thu, 30 Nov 2017 19:37:35 +0000 (UTC) (envelope-from vrwmiller@gmail.com) Received: from mail-oi0-f52.google.com (mail-oi0-f52.google.com [209.85.218.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 17E59719A4; Thu, 30 Nov 2017 19:37:34 +0000 (UTC) (envelope-from vrwmiller@gmail.com) Received: by mail-oi0-f52.google.com with SMTP id x20so5588168oix.12; Thu, 30 Nov 2017 11:37:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3e7jaRUeictwp0iGVjwXvggoKo1Ghp+ddVjNLr4KSbk=; b=VnXWEW6NzNsoUx9JqdEDZqX3/zHrSspSw+vK3oE0nHij1Hl+H1wu1ujFtQP7P0M1q2 0zqWgfoRdVqnx9ea40xI5zTFJAFBy4aFzeXOUl5ma1Wcz8zKi6G5LRJfNw2zg3SUz6mb hqZz1V/YDxcd6NDOagi14sAgluFP0BDskErlUqrNTcULbieBVa7F4Tu12Ni5lXJH052a 2IoeV4/nn9GxtC9ahGGzhA0s3oRAHIYAKz3ed8/sy4AeuESh2WPDtjl3MZIZxU1ppv0+ dcjz27JxDmAJNbXlugENwJKvvkN43HAuwgPglop5Urt/24ItdrSjiX4eGnWsHU9+CmLC HbhA== X-Gm-Message-State: AJaThX7vKE2TJQJZcbqs3VUqk0k2AKIV1HrjVjdj6lhvZMolW9mOWZVv dm5BxIcGBCPRU1uxHHlcJG2lfo97BAmzLzvA/TY= X-Google-Smtp-Source: AGs4zMbmMArnQlm8gwIC9JVhlPaoCpYQMhdYllUS8gv2p471TTGtgBrtihvrb2lYqp12NaB9sW8QH9AN0BTzE7nDy1E= X-Received: by 10.202.170.140 with SMTP id t134mr5215301oie.163.1512063588211; Thu, 30 Nov 2017 09:39:48 -0800 (PST) MIME-Version: 1.0 From: Rick Miller Date: Thu, 30 Nov 2017 17:39:37 +0000 Message-ID: Subject: net.inet.ip.portrange and The FreeBSD Handbook To: "freebsd-doc@freebsd.org" , "freebsd-net@freebsd.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2017 19:37:35 -0000 Hi all, I found The FreeBSD Handbook[1] had this to say regarding net.inet.ip.portrange.* sysctl variables: =E2=80=9CThe net.inet.ip.portrange.* sysctl(8) variables control the port n= umber ranges automatically bound to TCP and UDP sockets. There are three ranges: a low range, a default range, and a high range. Most network programs use the default range which is controlled by net.inet.ip.portrange.first and net.inet.ip.portrange.last, which default to 1024 and 5000, respectively. Bound port ranges are used for outgoing connections and it is possible to run the system out of ports under certain circumstances. This most commonly occurs when running a heavily loaded web proxy. The port range is not an issue when running a server which handles mainly incoming connections, such as a web server, or has a limited number of outgoing connections, such as a mail relay. For situations where there is a shortage of ports, it is recommended to increase net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may be reasonable. Consider firewall effects when changing the port range. Some firewalls may block large ranges of ports, usually low-numbered ports, and expect systems to use higher ranges of ports for outgoing connections. For this reason, it is not recommended that the value of net.inet.ip.portrange.first be lowered.=E2=80=9D FreeBSD 11.1 deploys values contrary to those above: # uname -sr FreeBSD 11.1-STABLE # sysctl net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 10000 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 A commit in March 2008[2] sets net.inet.ip.portrange.first and last to 10000 and 65535 respectively. It=E2=80=99s apparently obvious The FreeBSD H= andbook includes obsolete guidelines. This raises the question =E2=80=9Chow does th= is change the advice given in The Handbook?=E2=80=9D PR 223997 is opened to have The Handbook updated. [1] https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html [2] https://svnweb.freebsd.org/base/stable/11/sys/netinet/in.h?revision=3D17680= 5&view=3Dmarkup =E2=80=94 Rick <703-581-3068> --=20 Take care Rick Miller