Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez <tazok.id0@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 2479 bytes --]

El 7/8/25 a las 16:01, Grant Edwards escribió:
> On 2025-08-07, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> Also if you try to use one port from 32768 to one service you will
>> be able to do so if it's not used by any other.
> 
> Right, but the problem happens when you do need to bind to a specific
> port (e.g. 44818) and it's already in use as a local ephemeral port.
> 
>> Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because
>> of this, this services are critical, services from 1024 dont because
>> they are not reserved to root.
> 
> True, but not relevent.
> 
>> Also, you can restrict using ports with iptables if you need for
>> example. So, if you need this port always available, tell iptables
>> that drop any connection from.
> 
> I don't understand.
> 
>   1. We don't care what remote source port incoming connections are
>      coming from. The remote ports used in connections don't conflict
>      with local ports.
>   
>   2. Iptables can't prevent a socket from being bound to a particular
>      local ephemeral port. I guess if iptables forces the TCP handshake
>      to fail, the socket will _probably_ be closed by the application.
> 
> The right answer is to use sysctl to reserve specific local ports
> within the ephemeral range via net.ipv4.ip_local_reserved_ports.
> 
> I know how the system works. I know how to fix the problem. My
> question was historical: why/how did Linux end up violating the
> standards by default?
> 
> --
> Grant
> 
> 
> 
Take note that when you are using DNS, YOU ARE violating the standard 
since don't complains with source port randomization. This appeared 
because vulnerabilities in DNS protocol and almost all servers implement 
it. Every thing done are done for something, and in this case because:

*Users are not admins, so we don't have to reserve them ports

*Reserved ports are just below 1024, no root, no bind

*To assure users surfing for example, we need to give them random ports. 
More ports free, more security for web services, dns queries etc

*Resources have to be used, reserving more than 50% of resources for a 
"if gets used" is a bad idea

*The resource can be reserved by the admin with iptables if required.
iptables -A OUTPUT -p tcp --sport 55500 -m CONNTRACK --ctstate NEW -j DROP

*Resources must be administrated by admin (a.k.a root), not by lusers 
that wants their bittorrent port free if they want

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]