Re: Random source ports in FreeBSD?

• Previous message: Zoran Kolic: "Re: Attacks on ssh port"
• In reply to: Mike Silbersack: "Re: Random source ports in FreeBSD?"
• Next in thread: Danil V.Gerun: "Re[2]: Random source ports in FreeBSD?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 20 Sep 2004 13:13:31 +0300 (EEST)
To: Mike Silbersack <silby@silby.com>

Hello!

On Sat, 18 Sep 2004, Mike Silbersack wrote:
>> So, as far as I got to know, randomizing source ports in FreeBSD is
>> impossible now? (to be exact - is not implemented?)
>>
>> It's very interesting to me - WHY is it so?
>> I mean - may be there are good reasons for not making all this?..
>
> Source port randomization was implemented before 4.10 was released. See
> in_pcb.c revisions 1.143 - 1.146, 1.59.2.27, or 1.59.2.27.2.1, depending on
> the branch you're interested in:
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_pcb.c

  Yes, source port randomization works in 4.10-RELEASE, but port number
sequence tends to give the same port number every 100-200 ports. Local
FTP install of 4.10-RELEASE always fail for me, as a workaround I'm forced
to issue sysctl net.inet.ip.portrange.randomized=0 before reselecting FTP
server in sysinstall. Are there plans to fix the quality of random port number
generation under 4-STABLE?

Sincerely, Dmitry

-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Zoran Kolic: "Re: Attacks on ssh port"
• In reply to: Mike Silbersack: "Re: Random source ports in FreeBSD?"
• Next in thread: Danil V.Gerun: "Re[2]: Random source ports in FreeBSD?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Ephemeral port range (patch) ... While I haven't look match at the scheme proposed by Amit, I think there's a "flaw" with the algorithm: IP IDs need to be unique for. ... What's interesting is that when it comes to port randomization, IP ID randomization, and even timestamp randomization, the double-hash scheme seems to be the right solution. ... So this could limit the number of outgoing connections to about. ... (freebsd-net) Re: [PATCH] OpenBSD Networking-related randomization port ... Recent 2.6 does a more advanced form of port randomization already ... of applications that explicitly bind to port zero to find a free port. ... will assign a random port in a manner similar to sequence number creation ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: SMTP and tcp ports ... This ACL would permit access to the internal SMTP server (listening on TCP port 25) from external clients and servers. ... The mail clients would be using a TCP source port>1023, and external mail servers would be using TCP source port 25, or TCP source port>1023. ... (comp.dcom.sys.cisco) RE: L2TP + NAT-T ... "I'm using L2TP/IPSec since PPTP does not work through NAT. ... > Destination Port 0 ... > IKE Source Port 500 ... > IKE Destination Port 6159 ... (microsoft.public.win2000.ras_routing) Re: SMTP and tcp ports ... for both the source port and for the destination port to our exchange ... I thought inbound traffic to the server would be on ... You have static NAT setup for the SMTP server don't you? ... (comp.dcom.sys.cisco)