A little question in the config chapter (handbook)

Marco Trentini mark at remotelab.org
Sun Nov 6 11:32:54 UTC 2005 

While reading the chapter I met up in this section:

.....
      <sect3>
        <title><varname>net.inet.ip.portrange.*</varname></title>

        <indexterm>
          <primary>net.inet.ip.portrange.*</primary>
        </indexterm>

        <para>The <varname>net.inet.ip.portrange.*</varname> sysctl
          variables control the port number ranges automatically bound to TCP
          and UDP sockets.  There are three ranges: a low range, a default
          range, and a high range.  Most network programs use the default
          range which is controlled by the
          <varname>net.inet.ip.portrange.first</varname> and
          <varname>net.inet.ip.portrange.last</varname>, which default to
          1024 and 5000, respectively.  Bound port ranges are used  for
          outgoing connections, and it is possible to run the system out of
          ports under certain circumstances.  This most commonly occurs
          when you are running a heavily loaded web proxy.  The port range
          is not an issue when running servers which handle mainly incoming
          connections, such as a normal web server, or has a limited number
          of outgoing connections, such as a mail relay.  For situations
          where you may run yourself out of ports, it is recommended to
          increase <varname>net.inet.ip.portrange.last</varname> modestly.
          A value of <literal>10000</literal>, <literal>20000</literal> or
          <literal>30000</literal> may be reasonable.  You should also
          consider firewall effects when changing the port range.  Some
          firewalls may block large ranges of ports (usually low-numbered
          ports) and expect systems to use higher ranges of ports for
          outgoing connections — for this reason it is recommended that
          <varname>net.inet.ip.portrange.first</varname> be lowered.</para>
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      </sect3>
.....

The question is about last sentence of this section ("Some
firewalls may block ...."). While net.inet.ip.portrange.first
should be lowered when some firewall in general may block
ranges of low-numbered ports? I think it should be increased,
or not?

-- 
Marco Trentini                mark at remotelab.org
http://www.remotelab.org/
pgp public key at:
http://www.remotelab.org/~mark/share/mark.asc
Key fingerprint = 2EBB 1F84 0FE4 FDB2 A40A  D8DC B487 6AAD D755 239D

More information about the freebsd-doc mailing list