At 08:42 p.m. 01/03/2008, Kevin Oberman wrote:
> This patch changes the default ephemeral port range from 49152-65535
> to 1024-65535. This makes it harder for an attacker to guess the
> ephemeral ports (as the port number space is larger). Also, it makes
> the chances of port number collisions smaller.
>
(http://www.ietf.org/internet-drafts/draft-ietf-tsvwg-port-randomization-01.txt)
>
> This patch also includes my previous patch that eliminated duplicated
> code in in_pcb_bind().
The idea is good, but 1024 is way too low. Things like rpc and the like
use ports well above 1024. Notably, 6000 and above are used by X. Maybe
10000 would be OK. Maybe not, though. I see that gnuserv and gkrellmd
both use ports about 1000. (gnuserv uses 30871 and gkrellmd uses 19150.)
Other UNIX-like systems use that "low" port range. e.g., OpenBSD uses
the range 1024-49151. The idea is would be to define a bit string in
which you can specify those ports that should not be used as
ephemeral ports (I will send this patch soon). (This is described in
the IETF internet-draft I referenced, too).
I will also start working on the double-hash ephemeral port selection
algorithm described in the draft (this is, IMHO, the right approach
to ephemeral port randomization)
Kind regards,
--
Fernando Gont
e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
