Thread: ftp client port range
View Single Post
  #2   (View Single Post)  
Old 16th June 2010
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,131
Default
From ip(4)

Code:
     IP_PORTRANGE may be used to set the port range used for selecting a local
     port number on a socket with an unspecified (zero) port number.  It has
     the following possible values:

     IP_PORTRANGE_DEFAULT  use the default range of values, normally
			   IPPORT_HIFIRSTAUTO through IPPORT_HILASTAUTO.  This
			   is adjustable through the sysctl setting:
			   net.inet.ip.portrange.first and
			   net.inet.ip.portrange.last.

     IP_PORTRANGE_HIGH	   use a high range of values, normally
			   IPPORT_HIFIRSTAUTO and IPPORT_HILASTAUTO.  This is
			   adjustable through the sysctl setting:
			   net.inet.ip.portrange.hifirst and
			   net.inet.ip.portrange.hilast.

     IP_PORTRANGE_LOW	   use a low range of ports, which are normally
			   restricted to privileged processes on UNIX systems.
			   The range is normally from IPPORT_RESERVED - 1 down
			   to IPPORT_RESERVEDSTART in descending order.  This
			   is adjustable through the sysctl setting:
			   net.inet.ip.portrange.lowfirst and
			   net.inet.ip.portrange.lowlast.

     The range of privileged ports which only may be opened by root-owned pro-
     cesses may be modified by the net.inet.ip.portrange.reservedlow and
     net.inet.ip.portrange.reservedhigh sysctl settings.  The values default
     to the traditional range, 0 through IPPORT_RESERVED - 1 (0 through 1023),
     respectively.  Note that these settings do not affect and are not
     accounted for in the use or calculation of the other
     net.inet.ip.portrange values above.  Changing these values departs from
     UNIX tradition and has security consequences that the administrator
     should carefully evaluate before modifying these settings.

     Ports are allocated at random within the specified port range in order to
     increase the difficulty of random spoofing attacks.  In scenarios such as
     benchmarking, this behavior may be undesirable.  In these cases,
     net.inet.ip.portrange.randomized can be used to toggle randomization off.
     If more than net.inet.ip.portrange.randomcps ports have been allocated in
     the last second, then return to sequential port allocation.  Return to
     random allocation only once the current port allocation rate drops below
     net.inet.ip.portrange.randomcps for at least
     net.inet.ip.portrange.randomtime seconds.	The default values for
     net.inet.ip.portrange.randomcps and net.inet.ip.portrange.randomtime are
     10 port allocations per second and 45 seconds correspondingly.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote