Ephemeral port range (patch)
Kevin Oberman
oberman at es.net
Sat Mar 1 22:42:20 UTC 2008
> Date: Sat, 01 Mar 2008 11:34:27 -0200
> From: Fernando Gont <fernando at gont.com.ar>
> Sender: owner-freebsd-net at freebsd.org
>
> Folks,
>
> This patch changes the default ephemeral port range from 49152-65535
> to 1024-65535. This makes it harder for an attacker to guess the
> ephemeral ports (as the port number space is larger). Also, it makes
> the chances of port number collisions smaller.
> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
>
> This patch also includes my previous patch that eliminated duplicated
> code in in_pcb_bind().
The idea is good, but 1024 is way too low. Things like rpc and the like
use ports well above 1024. Notably, 6000 and above are used by X. Maybe
10000 would be OK. Maybe not, though. I see that gnuserv and gkrellmd
both use ports about 1000. (gnuserv uses 30871 and gkrellmd uses 19150.)
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080301/d273b121/attachment.pgp
More information about the freebsd-net
mailing list