>* what section of sysctl do we put it under? i favour net.inet.ip.*,
>  as it's probably the closest to what the behaviour does (unless we
>  add another section, e.g, net.inet.misc.*)
>	my vote: net.inet.ip.*

Sounds good to me.

>* is it a flag (0 = use 1024..5000, 1 = use 49152..65535), or
>  a `min' and `max' range. i prefer the latter, and have the kernel do
>  some quick sanity checking at sysctl time.
>	my vote: net.inet.ip.userlow (low end of ephemeral port range),
>	and net.inet.ip.userhigh (high end)

I prefer the min/max range as well.  I'm not sure I like "userlow" and
"userhigh", though.  How about "anon_port_low", or even
"ephemeral_port_low"?  (Geez, that's long).

>* should the sysctls be protected as net.inet.ip.forwsrcrt is (can't
>  change if securelevel >=1)
>	my vote: protected

I would vote against it being protected (unless someone had a good
security argument against it).  Maybe it's "protected" for dumb things
when securelevel >= 1 (like, it won't let you set the low range below
1024).

--Ken