Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Dec 2003 18:17:46 -0700
From:      Brett Glass <brett@lariat.org>
To:        Barney Wolff <barney@databus.com>
Cc:        net@freebsd.org
Subject:   Re: Controlling ports used by natd
Message-ID:  <6.0.0.22.2.20031212175801.04b066d8@localhost>
In-Reply-To: <20031213001913.GA40544@pit.databus.com>
References:  <200312120312.UAA10720@lariat.org> <20031212074519.GA23452@pit.databus.com> <6.0.0.22.2.20031212011133.047ae798@localhost> <20031212083522.GA24267@pit.databus.com> <6.0.0.22.2.20031212103142.04611738@localhost> <20031212181944.GA33245@pit.databus.com> <6.0.0.22.2.20031212161250.045e9408@localhost> <20031213001913.GA40544@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At 05:19 PM 12/12/2003, Barney Wolff wrote:
  
>For most systems, the coarse granularity of sysctl net.inet.ip.portrange
>would seem sufficient.

This brings up an interesting point. I just typed

sysctl -a | grep portrange

into a recently minted 4.9 box, and got:

net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.first: 1024
net.inet.ip.portrange.last: 5000
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535

Why is "lowfirst" greater than "lowlast" above?

It is also interesting that natd doesn't respect the
"hifirst..hilast" settings here. Shouldn't it look at
these variables and avoid assigning ports that the
machine on which it's running would not use? Or should
there be a "net.inet.alias.portrange.first", etc., so 
that one could specify the ranges or lists for everything 
in one place? 

>I have a real philosophical problem with ceding ports to worms, viruses
>and trojans.  Where will it stop?  Portno is a finite resource.

In theory, it stops when all Windows users have patched their machines.
Alas, this will happen when a very warm place freezes over. :-( 

In practice, I think we need to come up with something better than the
notions of "well-known" and "privileged" ports. Something that, unlike
portmap, is easy for firewalls to work with.

--Brett

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20031212175801.04b066d8>