Reserve Ephemeral ports Post: 302509739

Sponsored Content

Top Forums UNIX for Advanced & Expert Users Reserve Ephemeral ports Post 302509739 by rmtzcx on Thursday 31st of March 2011 03:17:52 PM

03-31-2011

Registered User

Quote:

Originally Posted by Corona688

... and the kernel certainly doesn't check /etc/services...

This may differ from system to system, but I think you're safe from random assignments when you use numbers less than 32768.

Hi Corona688,

I was under the impression that the kernel would not use ports listed on /etc/services for new connections.

goobid,

One solution could be change the value of the local port range in order to prevent the kernel to assign any random port below 40001. For example on Linux you can change it as follows:

Code:

sysctl -w "net.ipv4.ip_local_port_range=40002  65000"

# Add the line to /etc/sysctl.conf file a well
echo "net.ipv4.ip_local_port_range = 40002  65500" >>/etc/sysctl.conf

Under normal circumstances 25,000 ports for random assignments should be enough.

Here is a nice reference to change the value of the 'ephemeral' ports in other OSes.
The Ephemeral Port Range

rmtzcx

View Public Profile for rmtzcx

Find all posts by rmtzcx

8 More Discussions You Might Find Interesting

1. Solaris

Reserve Failed error for HD

Hi Guys, Anybody come across this error when formating a harddisk. "Reserved Failed" Supected hardisk failure, is my assumption correct. Thanks

2. Linux

proper way to reserve ports in linux

How do you debug a perl script non interactively, similar to bash -x?

3. Solaris

Reserve Memory for Global Zone

We have several containers on one machine and would like to reserve some memory for the global zone. capped-memory only allows max physical/swap and setting a max on each container isn't an option. The server has 32GB physical and 30GB swap. Currently there are ten containers on it. Normally...

4. Filesystems, Disks and Memory

Create file for space Reserve

Hi All, I want to make a 3GB of space reserve on Solaris. Let me know whether there is a way by creating empty file of 3GB so that i can delete that file in future to utilize that space. Or any other better ways for space reserve. -Vinodh' Kumar

5. Shell Programming and Scripting

Reserve resources (memory and processes)

I have a shell script which sets some variables and then calls modules of a program in succession, one by one. Problem is that the script is executed on servers with many users, so sometimes the script starts running, runs for 10 minutes and then breaks due to lack of resources when other users run...

6. AIX

Reserve Ports

Hi I have a ticket to Reserve ports for SAS install in SAS servers. Does anyone knows the procedure how to do it. it will be helpful for me please Thanks in Advance

7. Red Hat

Which is the effective ephemeral port range in Linux 2.6 for this set up?

In my Linux system ephemeral port range is showing different ranges as follows $ cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000  cat /etc/sysctl.conf | grep net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 9000 65500 Which will be the effective ephemeral port...

8. AIX

Forcing named 9 to use a fixed ephemeral port range

I'll start with I'm not an AIX expert, I inherited a lot of AIX servers to maintain. My problem is on AIX 7.1 TL4 SP4 environments. I'm running named as a DNS forwarder only to internal DNS servers. These AIX servers have a customized UDP ephemeral port range to avoid conflicting with the...

LEARN ABOUT FREEBSD

blackhole

BLACKHOLE(4)						   BSD Kernel Interfaces Manual 					      BLACKHOLE(4)

NAME

     blackhole -- a sysctl(8) MIB for manipulating behaviour in respect of refused TCP or UDP connection attempts

SYNOPSIS

     sysctl net.inet.tcp.blackhole[=[0 | 1 | 2]]
     sysctl net.inet.udp.blackhole[=[0 | 1]]

DESCRIPTION

     The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are received on TCP or UDP ports where there is no
     socket listening.

     Normal behaviour, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a
     RST segment, and drop the connection.  The connecting system will see this as a ``Connection refused''.  By setting the TCP blackhole MIB to
     a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole.  By setting
     the MIB value to two, any segment arriving on a closed port is dropped without returning a RST.  This provides some degree of protection
     against stealth port scans.

     In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram
     which arrives on a port where there is no socket listening.  It must be noted that this behaviour will prevent remote systems from running
     traceroute(8) to a system.

     The blackhole behaviour is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system.
     It could potentially also slow down someone who is attempting a denial of service attack.

WARNING

     The TCP and UDP blackhole features should not be regarded as a replacement for firewall solutions.  Better security would consist of the
     blackhole sysctl(8) MIB used in conjunction with one of the available firewall packages.

     This mechanism is not a substitute for securing a system.	It should be used together with other security mechanisms.

SEE ALSO

     ip(4), tcp(4), udp(4), ipf(8), ipfw(8), pfctl(8), sysctl(8)

HISTORY

     The TCP and UDP blackhole MIBs first appeared in FreeBSD 4.0.

AUTHORS

     Geoffrey M. Rehmet

BSD
								  January 1, 2007							       BSD