Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 01 Mar 2008 14:42:17 -0800
From:      "Kevin Oberman" <oberman@es.net>
To:        Fernando Gont <fernando@gont.com.ar>
Cc:        Rui Paulo <rpaulo@fnop.net>, freebsd-net@freebsd.org
Subject:   Re: Ephemeral port range (patch) 
Message-ID:  <20080301224217.33F0A45047@ptavv.es.net>
In-Reply-To: Your message of "Sat, 01 Mar 2008 11:34:27 -0200." <200803011338.m21DcY9Z026418@venus.xmundo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
--==_Exmh_1204411337_37678P
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

> Date: Sat, 01 Mar 2008 11:34:27 -0200
> From: Fernando Gont <fernando@gont.com.ar>
> Sender: owner-freebsd-net@freebsd.org
> 
> Folks,
> 
> This patch changes the default ephemeral port range from 49152-65535 
> to 1024-65535. This makes it harder for an attacker to guess the 
> ephemeral ports (as the port number space is larger). Also, it makes 
> the chances of port number collisions smaller. 
> (http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
> 
> This patch also includes my previous patch that eliminated duplicated 
> code in in_pcb_bind().

The idea is good, but 1024 is way too low. Things like rpc and the like
use ports well above 1024. Notably, 6000 and above are used by X. Maybe
10000 would be OK. Maybe not, though. I see that gnuserv and gkrellmd
both use ports about 1000. (gnuserv uses 30871 and gkrellmd uses 19150.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

--==_Exmh_1204411337_37678P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
Comment: Exmh version 2.5 06/03/2002

iD8DBQFHydvJkn3rs5h7N1ERAmtMAKCZC3Ag8hH4z52WQDiqZjkGT5GjzwCfWxNE
Wr8CtH+wf9gBFdEuGfldzdc=
=lYpN
-----END PGP SIGNATURE-----

--==_Exmh_1204411337_37678P--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080301224217.33F0A45047>