From: Javier Martinez <tazok.id0@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Linux ephemeral port range defaults to "broken".
Date: Thu, 7 Aug 2025 15:04:35 +0200 [thread overview]
Message-ID: <030aa5db-28bd-4064-995a-ac01f08ccaa1@gmail.com> (raw)
In-Reply-To: <107102s$em0$1@ciao.gmane.io>
[-- Attachment #1.1.1: Type: text/plain, Size: 1373 bytes --]
El 7/8/25 a las 3:38, Grant Edwards escribió:
> According to IANA (and before that ICANN and USC/ISI) port numbers
> from 1024 to 49151 are registerd ports, and are to be used for
> specific protocols. For example ports 2222 and 44818 are registered
> for used by the Ethernet/IP Rockwell PLC protocol.
>
> Dynamic or ephemeral ports are supposed to be in the range
> 49152-65535.
>
> Linux defaults to 32768-60999 for ephemeral ports. That clearly
> overlaps with a _lot_ of assigned/registered port numbers in the range
> 32786-49151.
>
> That seems just plain wrong. What am I missing?
>
> It's simple enough to change the ephemeral range so it doesn't overlap
> with registered port numbers, and it looks like I'm going to need to
> do that to avoid possible collisions in a project I'm working on. The
> question is why do I have to do that? The standards are pretty clear.
> Why does Linux default to being broken like that?
>
> --
> Grant
>
>
>
>
Ephemeral ports needs be randomized, so, you need a range big enough.
Randomizing them are also critical, so you need a range big enough. You
cant have 49151 registered ports most of them unused and left millions
users share 11000 ports that needs to be randomized to avoid attacks as
some that happens in DNS queries which got mitigated with source port
randomization.
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]
next prev parent reply other threads:[~2025-08-07 13:06 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-07 1:38 [gentoo-user] Linux ephemeral port range defaults to "broken" Grant Edwards
2025-08-07 3:49 ` Alexandru N. Barloiu
2025-08-07 6:44 ` Zhixu Liu
2025-08-07 13:04 ` Javier Martinez [this message]
2025-08-07 13:12 ` Javier Martinez
2025-08-07 14:01 ` [gentoo-user] " Grant Edwards
2025-08-07 14:25 ` Javier Martinez
2025-08-07 14:37 ` Javier Martinez
2025-08-10 1:54 ` [gentoo-user] " Grant Taylor
2025-08-10 21:13 ` [gentoo-user] " Grant Edwards
2025-08-10 21:25 ` Javier Martinez
2025-08-10 21:35 ` Grant Edwards
2025-08-10 21:28 ` Grant Edwards
2025-08-10 21:30 ` Javier Martinez
2025-08-10 21:39 ` Grant Edwards
2025-08-10 21:43 ` Javier Martinez
2025-08-10 22:55 ` Grant Edwards
2025-08-10 23:12 ` Javier Martinez
2025-08-10 21:59 ` Javier Martinez
2025-08-10 23:00 ` Grant Edwards
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=030aa5db-28bd-4064-995a-ac01f08ccaa1@gmail.com \
--to=tazok.id0@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox