Random source ports in FreeBSD?

From: Danil V.Gerun (news_at_625.ru)
Date: 09/18/04

  • Next message: Mike Silbersack: "Re: Random source ports in FreeBSD?"
    Date: Sat, 18 Sep 2004 23:22:48 +0400
    To: freebsd-security@freebsd.org

    Hello, all!

    In the beginning I want to say, that this question seems to be a
    security one, isn't it so?..

    Recently I was googling for the subject and coulnd't find anything...
    Even in the opennet.ru forum nobody answered me about this.

    So, as far as I got to know, randomizing source ports in FreeBSD is
    impossible now? (to be exact - is not implemented?)

    It's very interesting to me - WHY is it so?
    I mean - may be there are good reasons for not making all this?..

    Anyway, I looked how it is done in OpenBSD and made a patch for

    I've uploaded the patches for FreeBSD 4 and FreeBSD 5 here:
    Direct links:

    It seems to be working on my 4.9 box =) - after recompiling the
    kernel the system picks up a random port for making a connetion.

    Especially - when I increase net.inet.ip.portrange.last, for
    example, to value 20000. The ports become 'more random' :)

    What the patch does: it creates a sysctl variable
    net.inet.ip.random_lport, which is "off" by default.
    When it is nonzero, the OpenBSD method is used in
    sys/netinet/in_pcb.c (in in_pcbbind() in FreeBSD 4 and
    in_pcbbind_setup() in FreeBSD 5) to pick up a source port.
    Otherwize - the 'old' FreeBSD method is used.

    The exact OpenBSD method for finding a free random port is used (but
    that wasn't just copy-paste =)) ).

    I don't have opportunity to test the FreeBSD 5 patch, but I tried to
    analyze the patching results attentively (what I worry about - is
    using the arc4random() function in FreeBSD 5...).

    I'm eager to hear your opinions on all this, as I'm rather a newbie to
    administrating FreeBSD (and especially - to 'hacking' the kernel).

    If you find errors, please try to understand that this is the first
    time I decided to change something 'so deep' in FreeBSD and decided to
    make a patch for this ;-)) (but I tried to do my best to avoid errors)

    Some information about this patch is here - http://www.625.ru/rlsp/

    Best regards, Danil V. Gerun.
    freebsd-security@freebsd.org mailing list
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Mike Silbersack: "Re: Random source ports in FreeBSD?"

    Relevant Pages

    • Re: NAT-T patch for 7-STABLE
      ... the NAT-T patch from HEAD to 7-STABLE: ... I also merged back the NAT-T changes from FreeBSD 8/HEAD. ... (basically the cvs checkout and the tarball creation; ... and the port isn't ready to be used as a automatic port as you have to do ...
    • partition/cd recognition problem hal GNOME 2.16 FreeBSD RELEASE 6.2
      ... FreeBSD elbereth.gateway.2wire.net 6.2-RELEASE FreeBSD ... 0xf0000000-0xf7ffffff,0xffa80000-0xffafffff irq 16 at ... fdc0: port ... perm devstat 0444 ...
    • usb devices dont "wake up"
      ... Copyright 1992-2008 The FreeBSD Project. ... <ACPI PCI bus> on pcib0 ... port ... soft updates support ...
    • Is FreeBSD ready for desktop (Mozilla Flash)
      ... monitor,, somehow the install fails to detect ... "Macromedia Flash plugin is not available for FreeBSD. ... I quote again "Install the www/linuxpluginwrapper port. ... servers, ...
    • Re: Disappointing speed with ZFS
      ... This way the drives are utilized much more, and same goes for the CPU. ... Copyright 1992-2008 The FreeBSD Project. ... acpi0: on motherboard ... port 0x6000-0x60ff mem 0xe8000000-0xefffffff,0xe0400000-0xe040ffff irq 16 at device 0.0 on pci15 ...