Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez <tazok.id0@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 3211 bytes --]


iptables -A OUTPUT -p tcp --sport 55500  -j DROP

Since ephemeral ports are used by clients and selected randomly, you 
force to switch another one.

Unpriv ports used by services not started by root are the irrelevant 
ones. No all people has "bittorrent" in their systems and need it 
available, neither nobody has ejabberd and needs this  port free. Anyone 
can use netcat to listen anything to your reserved port since ports 
above 1024 are for use FREELY. Netcat will not check if the is reserved, 
only if its free. If the port is below 1024 and has not privs, kernel 
will stop it. But just because a permissions question.

If I want clone a harddisk image from my system to a remote one I will 
switch the first one above 1025 to put ncat/netcat, if it fails because 
its used I would switch another one.

If one admin needs one of them available because will use this service 
could use iptables to forbid using it.

Getting unpriv services hardmasking ports in one system I think it's a 
silly and crazy idea and a waste of resources including a  security risk 
because source ports shall be selected randomly and is not the same 
switching between 10000 ports and switching between 32767 in strength of 
random. This is worse if your system has a lot of clients.

Neither no system will use ALL unpriv reserved ports to unpriv services. 
So you can't reserve 25000 (or more) ports to be able some day to use 
"one of them" having the other permanently unused.

DNS protocol is an example that not all ideas standarized are good 
ideas, as with DNSSEC or with the lack of randomized source of dns queries.







El 7/8/25 a las 16:01, Grant Edwards escribió:
> On 2025-08-07, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> Also if you try to use one port from 32768 to one service you will
>> be able to do so if it's not used by any other.
> 
> Right, but the problem happens when you do need to bind to a specific
> port (e.g. 44818) and it's already in use as a local ephemeral port.
> 
>> Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because
>> of this, this services are critical, services from 1024 dont because
>> they are not reserved to root.
> 
> True, but not relevent.
> 
>> Also, you can restrict using ports with iptables if you need for
>> example. So, if you need this port always available, tell iptables
>> that drop any connection from.
> 
> I don't understand.
> 
>   1. We don't care what remote source port incoming connections are
>      coming from. The remote ports used in connections don't conflict
>      with local ports.
>   
>   2. Iptables can't prevent a socket from being bound to a particular
>      local ephemeral port. I guess if iptables forces the TCP handshake
>      to fail, the socket will _probably_ be closed by the application.
> 
> The right answer is to use sysctl to reserve specific local ports
> within the ephemeral range via net.ipv4.ip_local_reserved_ports.
> 
> I know how the system works. I know how to fix the problem. My
> question was historical: why/how did Linux end up violating the
> standards by default?
> 
> --
> Grant
> 
> 
> 


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]