From owner-freebsd-questions@FreeBSD.ORG Thu Dec 4 23:17:18 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0BD2C8E7 for ; Thu, 4 Dec 2014 23:17:18 +0000 (UTC) Received: from mout.gmx.com (mout.gmx.com [74.208.4.200]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C39726D8 for ; Thu, 4 Dec 2014 23:17:17 +0000 (UTC) Received: from [184.191.190.185] by 3capp-mailcom-lxa13.server.lan (via HTTP); Fri, 5 Dec 2014 00:17:11 +0100 MIME-Version: 1.0 Message-ID: From: "FreeBSD Questioner" To: freebsd-questions@freebsd.org Subject: Re: Reserving localhost port numbers Content-Type: text/plain; charset=UTF-8 Date: Fri, 5 Dec 2014 00:17:11 +0100 Importance: normal Sensitivity: Normal In-Reply-To: <44d281ajz0.fsf@be-well.ilk.org> References: , <44d281ajz0.fsf@be-well.ilk.org> X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V03:K0:rWgQeVJ1BPoHTtOfa+VAHoLCRCmMGDxcV+x9X+nu0is YsnPUntDKVvpXX1Bcb6vN2f/vJ4sZ2J+eP2hTEQEY7HBZf1Yfr H9Dr7SbM4IRri+fPtCS40CN7SmP+y9/tQCKyinIMFFSUiQe4OA 8F+3WHMf2WV4cVDwwM3aqK244j1T8GzgBPWCdzJ2aIrGidk+1E O64BDZWvqhf+gZcysxQgcj22GH9W9hns0zObLVJXymj76hJsI8 VTiAd+mgduhiuWJWFj27ZhDlCZsyXhiur3vpb+K9vmhaCccLKr P81HJFtf2jCJPYYoZCScOhcyb+X X-UI-Out-Filterresults: notjunk:1; X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2014 23:17:18 -0000 > Sent: Tuesday, December 02, 2014 at 12:13 PM > From: "Lowell Gilbert" Thank you for your reply Lowell! > > > > When making these connections, the remote field systems "reverse > > tunnel" certain listening ports to the server via the ssh -R > > parameter. > > Ouch. That's pretty ugly, and (because you'll be running TCP over TCP) > may not perform well. You might want to consider an architecture with an > intermediary agent on the central server instead. Ugly may reside largely in the eye of the beholder 8-) We've been using this scheme for some time with very good results. Although with a limited number of clients, and an ongoing concern about port number collisions. The service ports on the remote systems are for relatively low bandwidth communications. With our present number of systems, there havn't really been any performance issues. By "intermediary agent" do you mean a dedicated service process on the central server? One of the benefits of this scheme is that it requires no custom service, or client, compiled software. Just a small shell script on the clients. We are considering scaling this solution though. So your concerns could still manefest with a larger number of clients. > > It would be desirable to reserve a block of 10000 or so ports, anywhere above the 1024 "privileged port" range. > > > > Are the sysctls in the net.inet.ip.portrange. set what you're looking for? > Thank you for this sugestion! I have the standard portrange values: # sysctl net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 10000 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 I've been doing a bit of reading on these parameters, but I'm still not clear on exactly what they do. I understand that first and last control where the networking stack will locate transient outbound connections, but there are still some unknowns for me: 1) Say I increase first to 20000. Can i then safely assign my tunneled ports into the 10000-20000 range? Or will the kernel consider it an error for a user process to open a port outside of the first - last range? 2) What is the difference between the "default" range (10000-65535) and the "high" range (49152-65535)? Which software will use which range? 3) Do these parameters only control where the kernel allocates ports, or does the kernel use them as allowable ranges for applications attempting to open ports? Thank you again for your input!