[Bug 223997] FreeBSD Handbook Section 11.11 Guidelines on net.inet.ip.portrange obselete

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Nov 30 16:25:53 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223997

            Bug ID: 223997
           Summary: FreeBSD Handbook Section 11.11 Guidelines on
                    net.inet.ip.portrange obselete
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Documentation
          Assignee: freebsd-doc at FreeBSD.org
          Reporter: vmiller at hostileadmin.com

The FreeBSD Handbook[1] had this to say regarding net.inet.ip.portrange.*
sysctl variables:

“The net.inet.ip.portrange.* sysctl(8) variables control the port number ranges
automatically bound to TCP and UDP sockets. There are three ranges: a low
range, a default range, and a high range. Most network programs use the default
range which is controlled by net.inet.ip.portrange.first and
net.inet.ip.portrange.last, which default to 1024 and 5000, respectively. Bound
port ranges are used for outgoing connections and it is possible to run the
system out of ports under certain circumstances. This most commonly occurs when
running a heavily loaded web proxy. The port range is not an issue when running
a server which handles mainly incoming connections, such as a web server, or
has a limited number of outgoing connections, such as a mail relay. For
situations where there is a shortage of ports, it is recommended to increase
net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may be
reasonable. Consider firewall effects when changing the port range. Some
firewalls may block large ranges of ports, usually low-numbered ports, and
expect systems to use higher ranges of ports for outgoing connections. For this
reason, it is not recommended that the value of net.inet.ip.portrange.first be
lowered.”

FreeBSD 11.1 deploys values contrary to those above:

# uname -sr
FreeBSD 11.1-STABLE
# sysctl net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 10000
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023

A commit in March 2008[2] sets net.inet.ip.portrange.first and last to 10000
and 65535 respectively. It’s apparently obvious The FreeBSD Handbook includes
obsolete guidelines. This raises the question “how does this change the advice
given in The Handbook?”

Can The Handbook be updated to reflect modern guidelines surrounding using
these kernel tunables?

[1] https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html
[2]
https://svnweb.freebsd.org/base/stable/11/sys/netinet/in.h?revision=176805&view=markup

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-doc mailing list