[gentoo-user] Linux ephemeral port range defaults to "broken".

[gentoo-user] Linux ephemeral port range defaults to "broken".

[Grant Edwards]

According to IANA (and before that ICANN and USC/ISI) port numbers
from 1024 to 49151 are registerd ports, and are to be used for
specific protocols. For example ports 2222 and 44818 are registered
for used by the Ethernet/IP Rockwell PLC protocol.

Dynamic or ephemeral ports are supposed to be in the range
49152-65535.

Linux defaults to 32768-60999 for ephemeral ports. That clearly
overlaps with a _lot_ of assigned/registered port numbers in the range
32786-49151.

That seems just plain wrong. What am I missing?

It's simple enough to change the ephemeral range so it doesn't overlap
with registered port numbers, and it looks like I'm going to need to
do that to avoid possible collisions in a project I'm working on. The
question is why do I have to do that? The standards are pretty clear.
Why does Linux default to being broken like that?

--
Grant

Re: [gentoo-user] Linux ephemeral port range defaults to "broken".

[Alexandru N. Barloiu]

On Thu, 2025-08-07 at 01:38 +0000, Grant Edwards wrote:
> According to IANA (and before that ICANN and USC/ISI) port numbers
> from 1024 to 49151 are registerd ports, and are to be used for
> specific protocols. For example ports 2222 and 44818 are registered
> for used by the Ethernet/IP Rockwell PLC protocol.
> 
> Dynamic or ephemeral ports are supposed to be in the range
> 49152-65535.
> 
> Linux defaults to 32768-60999 for ephemeral ports. That clearly
> overlaps with a _lot_ of assigned/registered port numbers in the
> range
> 32786-49151.
> 
> That seems just plain wrong. What am I missing?
> 
> It's simple enough to change the ephemeral range so it doesn't
> overlap
> with registered port numbers, and it looks like I'm going to need to
> do that to avoid possible collisions in a project I'm working on. The
> question is why do I have to do that? The standards are pretty clear.
> Why does Linux default to being broken like that?

its mostly legacy stuff and convention. at the end of the day, a port
is a port is a port. nothing more to it. 

that thing... 1->1023 is true. kernel actually wants you to be root to
bind those ports, but truth be told, all programs drop privileges.
smtp. imap. pop3. to make a few. they dont run as root. they start as
root and then drop privileges. 

so why even have the kernel thing in the first place? tradition.
inertia. 

a port is a port is a port. 

Re: [gentoo-user] Linux ephemeral port range defaults to "broken".

[Zhixu Liu]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

>
>
> It's simple enough to change the ephemeral range so it doesn't overlap
> with registered port numbers, and it looks like I'm going to need to
> do that to avoid possible collisions in a project I'm working on. The
> question is why do I have to do that? The standards are pretty clear.
> Why does Linux default to being broken like that?
>

You can put your port in `ip_local_reserved_ports` to avoid being used by
automatic port assignments.

-- 
Z. Liu

[-- Attachment #2: Type: text/html, Size: 840 bytes --]

Re: [gentoo-user] Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 1373 bytes --]

El 7/8/25 a las 3:38, Grant Edwards escribió:
> According to IANA (and before that ICANN and USC/ISI) port numbers
> from 1024 to 49151 are registerd ports, and are to be used for
> specific protocols. For example ports 2222 and 44818 are registered
> for used by the Ethernet/IP Rockwell PLC protocol.
> 
> Dynamic or ephemeral ports are supposed to be in the range
> 49152-65535.
> 
> Linux defaults to 32768-60999 for ephemeral ports. That clearly
> overlaps with a _lot_ of assigned/registered port numbers in the range
> 32786-49151.
> 
> That seems just plain wrong. What am I missing?
> 
> It's simple enough to change the ephemeral range so it doesn't overlap
> with registered port numbers, and it looks like I'm going to need to
> do that to avoid possible collisions in a project I'm working on. The
> question is why do I have to do that? The standards are pretty clear.
> Why does Linux default to being broken like that?
> 
> --
> Grant
> 
> 
> 
> 
Ephemeral ports needs be randomized, so, you need a range big enough.

Randomizing them are also critical, so you need a range big enough. You 
cant have 49151 registered ports most of them unused and left millions 
users share 11000 ports that needs to be randomized to avoid attacks as 
some that happens in DNS queries which got mitigated with source port 
randomization.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [gentoo-user] Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 1455 bytes --]

El 7/8/25 a las 3:38, Grant Edwards escribió:
> According to IANA (and before that ICANN and USC/ISI) port numbers
> from 1024 to 49151 are registerd ports, and are to be used for
> specific protocols. For example ports 2222 and 44818 are registered
> for used by the Ethernet/IP Rockwell PLC protocol.
> 
> Dynamic or ephemeral ports are supposed to be in the range
> 49152-65535.
> 
> Linux defaults to 32768-60999 for ephemeral ports. That clearly
> overlaps with a _lot_ of assigned/registered port numbers in the range
> 32786-49151.
> 
> That seems just plain wrong. What am I missing?
> 
> It's simple enough to change the ephemeral range so it doesn't overlap
> with registered port numbers, and it looks like I'm going to need to
> do that to avoid possible collisions in a project I'm working on. The
> question is why do I have to do that? The standards are pretty clear.
> Why does Linux default to being broken like that?
> 
> --
> Grant
> 
> 
> 
> 
Also if you try to use one port from 32768 to one service you will be 
able to do so if it's not used by any other. Ports below 1024 has root 
privileges (CAP_NET_BIND_SERVICE) because of this, this services are 
critical, services from 1024 dont because they are not reserved to root.

Also, you can restrict using ports with iptables if you need for 
example. So, if you need this port always available, tell iptables that 
drop any connection from.



[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-07, Javier Martinez <tazok.id0@gmail.com> wrote:

> Also if you try to use one port from 32768 to one service you will
> be able to do so if it's not used by any other.

Right, but the problem happens when you do need to bind to a specific
port (e.g. 44818) and it's already in use as a local ephemeral port.

> Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because
> of this, this services are critical, services from 1024 dont because
> they are not reserved to root.

True, but not relevent.

> Also, you can restrict using ports with iptables if you need for
> example. So, if you need this port always available, tell iptables
> that drop any connection from.

I don't understand.

 1. We don't care what remote source port incoming connections are
    coming from. The remote ports used in connections don't conflict
    with local ports.
 
 2. Iptables can't prevent a socket from being bound to a particular
    local ephemeral port. I guess if iptables forces the TCP handshake
    to fail, the socket will _probably_ be closed by the application.

The right answer is to use sysctl to reserve specific local ports
within the ephemeral range via net.ipv4.ip_local_reserved_ports.

I know how the system works. I know how to fix the problem. My
question was historical: why/how did Linux end up violating the
standards by default?

--
Grant

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 3211 bytes --]


iptables -A OUTPUT -p tcp --sport 55500  -j DROP

Since ephemeral ports are used by clients and selected randomly, you 
force to switch another one.

Unpriv ports used by services not started by root are the irrelevant 
ones. No all people has "bittorrent" in their systems and need it 
available, neither nobody has ejabberd and needs this  port free. Anyone 
can use netcat to listen anything to your reserved port since ports 
above 1024 are for use FREELY. Netcat will not check if the is reserved, 
only if its free. If the port is below 1024 and has not privs, kernel 
will stop it. But just because a permissions question.

If I want clone a harddisk image from my system to a remote one I will 
switch the first one above 1025 to put ncat/netcat, if it fails because 
its used I would switch another one.

If one admin needs one of them available because will use this service 
could use iptables to forbid using it.

Getting unpriv services hardmasking ports in one system I think it's a 
silly and crazy idea and a waste of resources including a  security risk 
because source ports shall be selected randomly and is not the same 
switching between 10000 ports and switching between 32767 in strength of 
random. This is worse if your system has a lot of clients.

Neither no system will use ALL unpriv reserved ports to unpriv services. 
So you can't reserve 25000 (or more) ports to be able some day to use 
"one of them" having the other permanently unused.

DNS protocol is an example that not all ideas standarized are good 
ideas, as with DNSSEC or with the lack of randomized source of dns queries.







El 7/8/25 a las 16:01, Grant Edwards escribió:
> On 2025-08-07, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> Also if you try to use one port from 32768 to one service you will
>> be able to do so if it's not used by any other.
> 
> Right, but the problem happens when you do need to bind to a specific
> port (e.g. 44818) and it's already in use as a local ephemeral port.
> 
>> Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because
>> of this, this services are critical, services from 1024 dont because
>> they are not reserved to root.
> 
> True, but not relevent.
> 
>> Also, you can restrict using ports with iptables if you need for
>> example. So, if you need this port always available, tell iptables
>> that drop any connection from.
> 
> I don't understand.
> 
>   1. We don't care what remote source port incoming connections are
>      coming from. The remote ports used in connections don't conflict
>      with local ports.
>   
>   2. Iptables can't prevent a socket from being bound to a particular
>      local ephemeral port. I guess if iptables forces the TCP handshake
>      to fail, the socket will _probably_ be closed by the application.
> 
> The right answer is to use sysctl to reserve specific local ports
> within the ephemeral range via net.ipv4.ip_local_reserved_ports.
> 
> I know how the system works. I know how to fix the problem. My
> question was historical: why/how did Linux end up violating the
> standards by default?
> 
> --
> Grant
> 
> 
> 


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 2479 bytes --]

El 7/8/25 a las 16:01, Grant Edwards escribió:
> On 2025-08-07, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> Also if you try to use one port from 32768 to one service you will
>> be able to do so if it's not used by any other.
> 
> Right, but the problem happens when you do need to bind to a specific
> port (e.g. 44818) and it's already in use as a local ephemeral port.
> 
>> Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because
>> of this, this services are critical, services from 1024 dont because
>> they are not reserved to root.
> 
> True, but not relevent.
> 
>> Also, you can restrict using ports with iptables if you need for
>> example. So, if you need this port always available, tell iptables
>> that drop any connection from.
> 
> I don't understand.
> 
>   1. We don't care what remote source port incoming connections are
>      coming from. The remote ports used in connections don't conflict
>      with local ports.
>   
>   2. Iptables can't prevent a socket from being bound to a particular
>      local ephemeral port. I guess if iptables forces the TCP handshake
>      to fail, the socket will _probably_ be closed by the application.
> 
> The right answer is to use sysctl to reserve specific local ports
> within the ephemeral range via net.ipv4.ip_local_reserved_ports.
> 
> I know how the system works. I know how to fix the problem. My
> question was historical: why/how did Linux end up violating the
> standards by default?
> 
> --
> Grant
> 
> 
> 
Take note that when you are using DNS, YOU ARE violating the standard 
since don't complains with source port randomization. This appeared 
because vulnerabilities in DNS protocol and almost all servers implement 
it. Every thing done are done for something, and in this case because:

*Users are not admins, so we don't have to reserve them ports

*Reserved ports are just below 1024, no root, no bind

*To assure users surfing for example, we need to give them random ports. 
More ports free, more security for web services, dns queries etc

*Resources have to be used, reserving more than 50% of resources for a 
"if gets used" is a bad idea

*The resource can be reserved by the admin with iptables if required.
iptables -A OUTPUT -p tcp --sport 55500 -m CONNTRACK --ctstate NEW -j DROP

*Resources must be administrated by admin (a.k.a root), not by lusers 
that wants their bittorrent port free if they want

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [gentoo-user] Linux ephemeral port range defaults to "broken".

[Grant Taylor]

TL;DR:  As long as the two communicating endpoints are happy and there's 
not an overly restrictive firewall in the way, then it doesn't matter 
what ports are used.

On 8/6/25 8:38 PM, Grant Edwards wrote:
> According to IANA (and before that ICANN and USC/ISI) port numbers from 
> 1024 to 49151 are registerd ports, and are to be used for specific 
> protocols.

I don't disagree with the accuracy of that statement.  However I do 
Disagree with the implications.

> Dynamic or ephemeral ports are supposed to be in the range 49152-65535.

No.  That's the port range that's reserved for them.

Nothing about any of the reservations makes the port exclusive for what 
it's reserved for.

Remember, IP addresses and protocol ports are *locally* *significant* 
/on/ /both/ /ends/ of a connection.

Nothing other than the endpoints should care what ports are used.  Sure, 
some overzealous firewall configurations impose their will on the 
traffic that flows through them.

I can easily use any pair of ports that I want to between two systems. 
The only real restriction is that the two systems must agree and be 
willing to use the same ports for the connection.

What's more is that most servers don't care what port(s) clients are 
using as long as they talk to the port that the server daemon is 
listening on.  Meaning that servers only care about the destination IP 
and port of the inbound connection.

So I can have my client connect from any non-conflicting port on my 
client's IP address to the port the service is running on at the 
server's IP address.

This means that three of the four pieces of the tuple are known and the 
fourth is up to the client application and / or the client system's kernel.

  - client IP - known
  - server IP - known
  - client port - unknown
  - server port - known

I can limit my system to 49152-65535 or I can allow it to use 
1024-65535.  There are even ways to cause the client traffic to appear 
to be from port 1-65535.

Aside:  I don't remember what it is, but I feel like port 65535 has some 
sort of problem in some niche situation, so I'd actually stop at 65534.

So roughly, I can use ports ~49152-65535 or ports 1-65535 and have four 
times the range of ports.

This does work perfectly fine.

I've done this for years.

There has NEVER been a conflict between my client system and the server 
that I'm talking to.

I can even have my client talk from TCP port 443 to TCP port 80 on the 
server.  It doesn't matter.

Only the two communicating endpoints care.  --  And overly zealous 
firewall configurations.

> Linux defaults to 32768-60999 for ephemeral ports. That clearly 
> overlaps with a _lot_ of assigned/registered port numbers in the 
> range 32786-49151.

Yes.  So what?  It doesn't matter.  It obviously works and hasn't been a 
problem.

> That seems just plain wrong.

It's against the documentation.  But it works perfectly fine.

> What am I missing?

A different world view?  --  I mean that as the view of communicating 
devices, not who's name is penciled in next to a port.

> It's simple enough to change the ephemeral range so it doesn't overlap 
> with registered port numbers,

Yes.

> and it looks like I'm going to need to do that to avoid possible 
> collisions

I would ask why.  But you hint at some additional complications.

> in a project I'm working on.

Please elaborate.

I still bet that it won't be a problem.  (See draggons below.)

> The question is why do I have to do that?

You don't.

> The standards are pretty clear.

Many RFCs are clear on things.  SMTP RFCs strongly suggest that I should 
always accept every single piece of email that comes into my server. 
Yet for my own policy reasons I reject a LOT of email.

The standard is for interoperability.  If you're interoperable with 
things while not following the standard to the letter, cool.

> Why does Linux default to being broken like that?

It's not broken.

It's been working just fine for years.

Here be dragons.

If your application is listening to port 12345 on 192.0.2.1, I can still 
send traffic from 192.0.2.1:12345 to 198.51.100.1:23456.

There is no conflict between the two sockets below:

192.0.2.1:12345 - 0.0.0.0:0
192.0.2.1:12345 - 198.51.100.1:23456

The tuples (almost always) need to be unique.  The tuple is client IP & 
port and server IP & port.

This example re-use of port 12345 technically works.  However it's 
probably not the best idea to do because it may confuse humans.  It 
won't confuse the TCP/IP stack.  But we have some conventions in place 
to make things easier for humans.

To recap, as long as the two communicating endpoints are happy and 
there's not an overly restrictive firewall in the way, then it doesn't 
matter what ports are used.



-- 
Grant. . . .

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-10, Grant Taylor <gtaylor@gentoo.tnetconsulting.net> wrote:

>> and it looks like I'm going to need to do that to avoid possible 
>> collisions
>
> I would ask why.  But you hint at some additional complications.

I need to be able to run servers that are required to bind to
specific, well-known, reserved ports that are within the Linux
ephemeral port range. If some client connection happens to be using
one of those reserved ports, then the server will be unable to run.

At least that's what my googling and reading have led me to
believe. Is that wrong?

Can a server bind to a and listen on a local port that is already
in-use as the source port for a TCP connection?

I guess I should test it...

--
Grant

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 1447 bytes --]

El 10/8/25 a las 23:13, Grant Edwards escribió:
> On 2025-08-10, Grant Taylor <gtaylor@gentoo.tnetconsulting.net> wrote:
> 
>>> and it looks like I'm going to need to do that to avoid possible
>>> collisions
>>
>> I would ask why.  But you hint at some additional complications.
> 
> I need to be able to run servers that are required to bind to
> specific, well-known, reserved ports that are within the Linux
> ephemeral port range. If some client connection happens to be using
> one of those reserved ports, then the server will be unable to run.
> 
> At least that's what my googling and reading have led me to
> believe. Is that wrong?
> 
> Can a server bind to a and listen on a local port that is already
> in-use as the source port for a TCP connection?
> 
> I guess I should test it...
> 
> --
> Grant
> 
> 
> 
> 
> 
Taking measures to avoid it is an admin task, as to assure yourself that 
your users don't run bittorrent clients that eats all your widthband.

You can forward incoming connections from one port to another, for 
example forwarding incomming connections to 80 port  to your proxy one 
8080. The same with others

Anybody can run "nc" command and use your ports, it's not needed that 
were taken automatically by a firefox client for example.

You have tools to avoid it, between others iptables that can allow you 
even select which uid could use this port as with -m owner.



[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:

> Taking measures to avoid it is an admin task,

It is on Linux (assuming the default kernel settings).  On other
systems it is not, because following The IANA/ICANN rules eliminates
need to take admin measures to avoid the problem in question.

That's why such rules are writen.

The Linux authors apprently decided to ignore the rules and place the
burden on admins to know what servers are going to be running, what
ports they use and take measures to reserve the ports needed by such
servers.

I dan deal with that, I'm just surprised that was the decision that
was made, and I was asking why.

Or do some distros automatically reserve the ports required for server
FOO when it is installed/enbled?

--
Grant

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-10, Grant Edwards <grant.b.edwards@gmail.com> wrote:

> I need to be able to run servers that are required to bind to
> specific, well-known, reserved ports that are within the Linux
> ephemeral port range. If some client connection happens to be using
> one of those reserved ports, then the server will be unable to run.
>
> At least that's what my googling and reading have led me to
> believe. Is that wrong?
>
> Can a server bind to a and listen on a local port that is already
> in-use as the source port for a TCP connection?
>
> I guess I should test it...

My tests appear to confirm that you can not bind to a port that is
already in use as the local source port for an established connection.

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 1063 bytes --]

El 10/8/25 a las 23:13, Grant Edwards escribió:
> On 2025-08-10, Grant Taylor <gtaylor@gentoo.tnetconsulting.net> wrote:
> 
>>> and it looks like I'm going to need to do that to avoid possible
>>> collisions
>>
>> I would ask why.  But you hint at some additional complications.
> 
> I need to be able to run servers that are required to bind to
> specific, well-known, reserved ports that are within the Linux
> ephemeral port range. If some client connection happens to be using
> one of those reserved ports, then the server will be unable to run.
> 
> At least that's what my googling and reading have led me to
> believe. Is that wrong?
> 
> Can a server bind to a and listen on a local port that is already
> in-use as the source port for a TCP connection?
> 
> I guess I should test it...
> 
> --
> Grant
> 
> 
> 
> 
> 
PD: nc -l myip myultracriticalport breaks your countermeasure of using 
proc to avoid port use (ip_local_reserved_ports) is part of the 
solution, not the solution itself. You need iptables in all cases.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:

> PD: nc -l myip myultracriticalport breaks your countermeasure of
> using proc to avoid port use (ip_local_reserved_ports)

You can not run "nc -l myip myultracriticalport" on the system in
question.

> is part of the solution, not the solution itself. You need iptables
> in all cases.

No, I do not.

--
Grant

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 785 bytes --]

El 10/8/25 a las 23:39, Grant Edwards escribió:
> On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> PD: nc -l myip myultracriticalport breaks your countermeasure of
>> using proc to avoid port use (ip_local_reserved_ports)
> 
> You can not run "nc -l myip myultracriticalport" on the system in
> question.
> 
>> is part of the solution, not the solution itself. You need iptables
>> in all cases.
> 
> No, I do not.
> 
> --
> Grant
> 
> 
> 
> 
> 
> 
> 
> 
Any user with access to python or any socket interface in any 
programming language can put things to listen in ports above 1024 as are 
unprivilege ports.

The only solution is to use iptables to restrict it and killing the 
process that tried to use it triggered by iptables log.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:

> Any user

There are none.

> with access to python

Not installed

> or any socket interface in any programming language

There are none available.

> can put things to listen in ports above 1024 as are unprivilege
> ports.
>
> The only solution is to use iptables to restrict it and killing the
> process that tried to use it triggered by iptables log.

That may be true for other systems, not for mine.

--
Grant

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 823 bytes --]

El 11/8/25 a las 0:55, Grant Edwards escribió:
> On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> Any user
> 
> There are none.
> 
>> with access to python
> 
> Not installed
> 
>> or any socket interface in any programming language
> 
> There are none available.
> 
>> can put things to listen in ports above 1024 as are unprivilege
>> ports.
>>
>> The only solution is to use iptables to restrict it and killing the
>> process that tried to use it triggered by iptables log.
> 
> That may be true for other systems, not for mine.
> 
> --
> Grant
> 
> 
> 
> 
> 
> 
Python interpreters are required a lot of times as a dependency. Even 
emerge is based in python and has dependencies with it.... so..... I 
guess that if your system has not python, its not gentoo.




[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: [gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Javier Martinez]

[-- Attachment #1.1.1: Type: text/plain, Size: 952 bytes --]

El 10/8/25 a las 23:39, Grant Edwards escribió:
> On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:
> 
>> PD: nc -l myip myultracriticalport breaks your countermeasure of
>> using proc to avoid port use (ip_local_reserved_ports)
> 
> You can not run "nc -l myip myultracriticalport" on the system in
> question.
> 
>> is part of the solution, not the solution itself. You need iptables
>> in all cases.
> 
> No, I do not.
> 
> --
> Grant
> 
> 
> 
> 
> 
> 
> 
> 
You can do this:

Create iptable rule that allows using this port for one user with -m owner
If it's not this user who is trying to use the port, use  LOG with a 
concrete string with a DROP default policy.
Instruct syslog-ng with a rule using the "concrete string" to write a 
file monitored by inotify that execs one script that locates the 
offending command and kills it.

If not any troll with access to anything can use any port over 1024

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3145 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

[gentoo-user] Re: Linux ephemeral port range defaults to "broken".

[Grant Edwards]

On 2025-08-10, Javier Martinez <tazok.id0@gmail.com> wrote:

> You can do this:
> Create iptable rule [...]

Thanks, I know how netfilter and iptables work.

I do not need to use them to solve this problem.

In the future, I may enable netfilter and iptables (for other
reasons). Currently it is not enabled/installed. If I do end up
needing netfilter, I probably won't use iptables. I'll probably
compile the rules into a kernel module to save on overhead and
filesystem space.

> If not any troll with access to anything can use any port over 1024

Not relevent. No trolls have access to anything.

If trolls gain access to the system, the conflict between servers and
ephemerals ports is by far the least of my worries.

--
Grant