On Sun, 21 Aug 2011, Henrique de Moraes Holschuh <h...@debian.org> wrote: > On Sat, 20 Aug 2011, Andreas Barth wrote: > > * Henrique de Moraes Holschuh (h...@debian.org) [110820 14:39]: > > > Yes. And we can easily maintain a current one for Debian-packaged > > > software, although the initial build of such a blacklist will take > > > some work. > > > > Actually, the existing interface net.ipv4.ip_local_port_range seems to > > work quite well. And there are so many ports that for most servers it
# cat /proc/sys/net/ipv4/ip_local_port_range 32768 61000 The above is from one of my systems. This isn't used for RPC, presumably because they want the special <1024 port numbers that imply root ownership. > No, it doesn't. And we have at least one extremely important protocol that > needs as many ports as we can give it (DNS). Aug 21 11:42:48 ns named[2382]: using default UDP/IPv4 port range: [1024, 65535] Aug 21 11:42:48 ns named[2382]: using default UDP/IPv6 port range: [1024, 65535] BIND seems to use ports >1024 as well, again this is different from the typical RPC issues but does have the potential to cause problems (there are more than a few UDP ports >1024 in /etc/services). Maybe BIND should be patched to use the same port reservation procedure as RPC. > A blacklist is the way to go, and we already have it. We just need to fill > it, make it easier to extend (.d directory), tell people about it, and > teach stuff other than SunRPC to use it when necessary. Yes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201108212238.05409.russ...@coker.com.au