net.inet.ip.portrange and The FreeBSD Handbook

Rick Miller vmiller at hostileadmin.com
Thu Nov 30 19:37:35 UTC 2017 

Hi all,

I found The FreeBSD Handbook[1] had this to say regarding
net.inet.ip.portrange.* sysctl variables:

“The net.inet.ip.portrange.* sysctl(8) variables control the port number
ranges automatically bound to TCP and UDP sockets. There are three ranges:
a low range, a default range, and a high range. Most network programs use
the default range which is controlled by net.inet.ip.portrange.first and
net.inet.ip.portrange.last, which default to 1024 and 5000, respectively.
Bound port ranges are used for outgoing connections and it is possible to
run the system out of ports under certain circumstances. This most commonly
occurs when running a heavily loaded web proxy. The port range is not an
issue when running a server which handles mainly incoming connections, such
as a web server, or has a limited number of outgoing connections, such as a
mail relay. For situations where there is a shortage of ports, it is
recommended to increase net.inet.ip.portrange.last modestly. A value of
10000, 20000 or 30000 may be reasonable. Consider firewall effects when
changing the port range. Some firewalls may block large ranges of ports,
usually low-numbered ports, and expect systems to use higher ranges of
ports for outgoing connections. For this reason, it is not recommended that
the value of net.inet.ip.portrange.first be lowered.”

FreeBSD 11.1 deploys values contrary to those above:

# uname -sr
FreeBSD 11.1-STABLE
# sysctl net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 10000
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023

A commit in March 2008[2] sets net.inet.ip.portrange.first and last to
10000 and 65535 respectively. It’s apparently obvious The FreeBSD Handbook
includes obsolete guidelines. This raises the question “how does this
change the advice given in The Handbook?”

PR 223997 is opened to have The Handbook updated.

[1] https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html
[2]
https://svnweb.freebsd.org/base/stable/11/sys/netinet/in.h?revision=176805&view=markup

—
Rick



<703-581-3068>
-- 
Take care
Rick Miller

More information about the freebsd-doc mailing list