Ephemeral port selection
Chuck Swiger
cswiger at mac.com
Mon Feb 12 18:42:05 UTC 2007
On Feb 12, 2007, at 7:16 AM, Fernando Gont wrote:
> Looking at FreeBSD's TCP implementation, I see that by default,
> ephemeral ports are selected from the range 49152-65535. This means
> that only 15K ports out of the available 65K port range are used
> for ephemeral port selection.
You can change the following sysctl's:
net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
...to adjust the range of ephemeral port #'s. I assume you're
familiar with the IANA document on port # ranges here:
http://www.iana.org/assignments/port-numbers
It's likely to be the case that you could use a larger range
(starting from 32K or even 10K) without bothering anything
significant, but it's not really apparent to me that doubling or
tripling the range of the available ephemeral ports is going to help
significantly except for unusual cases.
How many machines really need to have more than 15K open connections
outstanding and where the other parts of the connection tuple (srcIP,
srcPort, dstIP, dstPort) do not vary?
> We have also been working on an alternative port randomization
> scheme, that would help to avoid the problems described in Mike's
> presentation.
A better mechanism for allocating random ephemeral ports would
certainly be valuable.
--
-Chuck
More information about the freebsd-net
mailing list