Date: Fri, 5 Dec 2014 00:17:11 +0100 From: "FreeBSD Questioner" <freebsd-questions@gmx.com> To: freebsd-questions@freebsd.org Subject: Re: Reserving localhost port numbers Message-ID: <trinity-84fc8143-9c27-4181-884a-0a20dea0af68-1417735030728@3capp-mailcom-lxa13> In-Reply-To: <44d281ajz0.fsf@be-well.ilk.org> References: <trinity-2843f6bc-834a-464e-a671-a16327e982ae-1417549546056@3capp-mailcom-lxa06>, <44d281ajz0.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Sent: Tuesday, December 02, 2014 at 12:13 PM > From: "Lowell Gilbert" <freebsd-questions-local@be-well.ilk.org> Thank you for your reply Lowell! > > > > When making these connections, the remote field systems "reverse > > tunnel" certain listening ports to the server via the ssh -R > > parameter. > > Ouch. That's pretty ugly, and (because you'll be running TCP over TCP) > may not perform well. You might want to consider an architecture with an > intermediary agent on the central server instead. Ugly may reside largely in the eye of the beholder 8-) We've been using this scheme for some time with very good results. Although with a limited number of clients, and an ongoing concern about port number collisions. The service ports on the remote systems are for relatively low bandwidth communications. With our present number of systems, there havn't really been any performance issues. By "intermediary agent" do you mean a dedicated service process on the central server? One of the benefits of this scheme is that it requires no custom service, or client, compiled software. Just a small shell script on the clients. We are considering scaling this solution though. So your concerns could still manefest with a larger number of clients. > > It would be desirable to reserve a block of 10000 or so ports, anywhere above the 1024 "privileged port" range. > > > > Are the sysctls in the net.inet.ip.portrange. set what you're looking for? > Thank you for this sugestion! I have the standard portrange values: # sysctl net.inet.ip.portrange net.inet.ip.portrange.randomtime: 45 net.inet.ip.portrange.randomcps: 10 net.inet.ip.portrange.randomized: 1 net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.hilast: 65535 net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.last: 65535 net.inet.ip.portrange.first: 10000 net.inet.ip.portrange.lowlast: 600 net.inet.ip.portrange.lowfirst: 1023 I've been doing a bit of reading on these parameters, but I'm still not clear on exactly what they do. I understand that first and last control where the networking stack will locate transient outbound connections, but there are still some unknowns for me: 1) Say I increase first to 20000. Can i then safely assign my tunneled ports into the 10000-20000 range? Or will the kernel consider it an error for a user process to open a port outside of the first - last range? 2) What is the difference between the "default" range (10000-65535) and the "high" range (49152-65535)? Which software will use which range? 3) Do these parameters only control where the kernel allocates ports, or does the kernel use them as allowable ranges for applications attempting to open ports? Thank you again for your input!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?trinity-84fc8143-9c27-4181-884a-0a20dea0af68-1417735030728>