Ephemeral port range (patch)
Robert Watson
rwatson at FreeBSD.org
Sun Mar 2 13:43:12 UTC 2008
On Sat, 1 Mar 2008, Mike Silbersack wrote:
> On Sat, 1 Mar 2008, Fernando Gont wrote:
>
>> This patch changes the default ephemeral port range from 49152-65535 to
>> 1024-65535. This makes it harder for an attacker to guess the ephemeral
>> ports (as the port number space is larger). Also, it makes the chances of
>> port number collisions smaller.
>> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
>
> There are a number of commonly used ports above 1000, such as nfs and x11. I
> think OpenBSD uses 10000-65535, maybe that's a safer choice to go with.
In order to get acceptable open connection counts with 10gbps ethernet, I've
needed to run with a significantly lower starting portrange. In practice, the
following seems to do the trick for me:
sysctl net.inet.ip.portrange.first=10000
Of course, I only run into this if I also increase maxsockets:
sysctl kern.ipc.maxsockets=30000
Lowering the lower end of the ephemeral range to 10,000 would do the trick for
me, anyway.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the freebsd-net
mailing list