Re: ip local port range

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Albert D. Cahalan: "Re: ANSI C clarifications, with citations (was Re: [patch-2.4"
• Previous message: Khimenko Victor: "Re: [RFC] What should go into /usr/include/linux?"

>As has been dicussed on this list in April, Linux does not follow the
>IANA recommendation to use port number 49152 and higher for dynamic
>ports. Albert D. Cahalan suggested changing the current range of 1024
>till 4999 into 51024 till 514999. David Miller said 'Ok, this needs to
>be fixed then.' but Andi Kleen objected that the change would cause
>problems with poorly configured packes filters.

The packet filters need to be fixed then. I've been reading the
/proc file local-port-range inside my firewall scripts ever since
I discovered it. I assumed that this is what the file's purpose
was for in the first place, as well as to change the range if the
occasion is needed.

It does really make more sense IMHO to use higher port numbers
though since they are less likely to hit ports that daemons
require.

>Since then, it has been quiet about the topic, and the kernel has not
>been changed.

Is it not as simple as changing a single #define or
two?

>I would like to argue in favour of changing the range: first,
>it's the 'right' thing to do. Secondly, the old range generates
>problems with applications that expect to be able to bind to
>'their' port. In particular, I've experienced failures with
>HylaFAX, because the faxmail delivery agent uses port 4558,
>which at random times already was occupied. Thirdly, it's
>trivial to get back the old range with sysctl if you need
>compatibilty with broken packet filters. There is still time to
>do this IANA compliancy change now, once 2.4.0 is out we have
>to wait until at least 2.6, which may be a rather long time.

I think that this makes a lot of sense. Packet filters that are
broken can be fixed easily enough. Even in the case of binary
code, a few small hacks into an ELF file should fix things up.

Regardless of the official tree, I think I'm going to change mine
to use the above ranges you listed simply because I've also
encountered problems with ports being in use as well.

Take care.
TTYL

-- 
Mike A. Harris                                     Linux advocate     
Computer Consultant                                  GNU advocate  
Capslock Consulting                          Open Source advocate

I've overclocked my keyboard interface.  It's quite messy dipping my
hands into the mineral oil, but *MAN* is my keyboard ever fast now!
                                         - Anonymous Coward


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Albert D. Cahalan: "Re: ANSI C clarifications, with citations (was Re: [patch-2.4"
• Previous message: Khimenko Victor: "Re: [RFC] What should go into /usr/include/linux?"