>>    Hmmm ... you know, it might be useful if you could twist this knob via
>>    a sysctl (for example, if you're behind a firewall).
>> 
>>  you can just change the #define for now...
>
>You can't change a #define dynamically when you find yourself moving
>your laptop from place to place, which I do all the time. It would be
>Really Really Nice for this to be a sysctl. I originally supported
>having no option for this until I discovered that some of my clients
>have badly configured firewalls. :(

Aren't all firewalls by definition a bad configuration? :-)  But
seriously, that's exactly what I was thinking of.

>> we discussed doing this with a sysctl, but we couldn't find a suitable
>> name for it  :-)  it's a property of at least tcp and udp but it _isn't_
>> a property of ip, so without splitting it into lots of little variables
>> (one for each protocol), there didn't appear to be a "neat" place for
>> it to fit.
>
>Just put it under tcp and document that it impacts udp as well.

Why not make it two sysctl's that control both tcp and udp?

There is some precent for this; Solaris lets you set
{tcp,udp}_{smallest,largest}_anon_port using ndd.

--Ken