Subject: Re: NetBSD master CVS tree commits
To: Jeff Thieleke <firstname.lastname@example.org>
From: Ken Hornstein <email@example.com>
Date: 12/31/1997 17:55:38
>Could someone expain the the issues involved with the whole ephemeral
>port thing? Is it just to better conform with RFC standard (even though
>there doesn't seem to be much of a consensus in practice), or are there
>security implications as well? Or is the goal to simiply increase the
>anon port range?
The main issue is (as far as I understand it) with firewalls.
Let's say you have a firewall separating your internal network from
the rest of the Internet. You want connections originating from
internal machines to pass through the firewall, but you don't want
random people on the Internet to be able to connect to any of your
One way of doing this is to configure your firewall to allow all packets
out that are from the ephemeral port range and are to some well-known
address (i.e. - the telnet port). Also, you have to allow packets
in that are destined for the ephemeral port range and are from the
same well-known addresses.
If you're setting up a firewall, the chances are good that either you
or someone in your chain of command is very paranoid, and you probably
want to configure your packet filter to let the minimum amount of data
through that is necessary. _This_ is where the ephemeral port range
becomes an issue.
The "old" ephemeral port range was 1024-5000. So as a result, some
firewalls are configured to allow inbound packets only to these
ports. If the ephemeral port range changes, then this breaks.
Disclaimer: It's been a long time since I had to configure a firewall,
and I was basically winging it at the time. So don't treat me as a
font of firewall wisdom :-)