TIME_WAIT Assassination in FreeBSD???
Daniel Hartmeier
daniel at benzedrine.cx
Mon Sep 5 15:26:38 UTC 2011
In FreeBSD, the ftp client allocates the port for an active-mode data
connection by calling bind(2) with so_port set to 0, which means it lets
the kernel pick a port, see
http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/lukemftp/src/Attic/ftp.c?rev=1.1.1.8;content-type=text%2Fplain;hideattic=0
The kernel code where the port is picked is in function in_pcb_lport(),
see
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_pcb.c?rev=1.281;content-type=text%2Fplain
Basically, there is a range of ports (49152-65535, adjustable with
sysctl), and the algorithm picks a random port within that range:
if (dorandom)
*lastport = first + (arc4random() % (last - first));
It checks whether that port is available. If not, it increments it by
one, and tries again, etc. in a loop, until it finds one.
So, for your case, it is unlikely that two subsequent bind() calls from
the ftp client would result in the same port being picked randomly,
unless a large part of the port range is unavailable.
You can get port re-use that is quick enough to confuse pf, for
instance, by opening new connections (to the same destination address
and port) at a high rate, e.g. when running the Apache web server
benchmark tool.
But if you're simply running the ftp client on an otherwise idle host,
and two subsequent bind() calls get assigned the same 'random' port,
I'd say the port randomization is not working properly :)
HTH,
Daniel
More information about the freebsd-hackers
mailing list