Ephemeral port range (patch)
Fernando Gont
fernando at gont.com.ar
Sun Mar 2 00:34:34 UTC 2008
At 08:42 p.m. 01/03/2008, Kevin Oberman wrote:
> > This patch changes the default ephemeral port range from 49152-65535
> > to 1024-65535. This makes it harder for an attacker to guess the
> > ephemeral ports (as the port number space is larger). Also, it makes
> > the chances of port number collisions smaller.
> >
> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
> >
> > This patch also includes my previous patch that eliminated duplicated
> > code in in_pcb_bind().
>
>The idea is good, but 1024 is way too low. Things like rpc and the like
>use ports well above 1024. Notably, 6000 and above are used by X. Maybe
>10000 would be OK. Maybe not, though. I see that gnuserv and gkrellmd
>both use ports about 1000. (gnuserv uses 30871 and gkrellmd uses 19150.)
Other UNIX-like systems use that "low" port range. e.g., OpenBSD uses
the range 1024-49151. The idea is would be to define a bit string in
which you can specify those ports that should not be used as
ephemeral ports (I will send this patch soon). (This is described in
the IETF internet-draft I referenced, too).
I will also start working on the double-hash ephemeral port selection
algorithm described in the draft (this is, IMHO, the right approach
to ephemeral port randomization)
Kind regards,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the freebsd-net
mailing list