Luke Mewburn wrote:
> 
> matthew green writes:
> >
> >    >Just put it under tcp and document that it impacts udp as well.
> >
> >    Why not make it two sysctl's that control both tcp and udp?
> >
> >    There is some precent for this; Solaris lets you set
> >    {tcp,udp}_{smallest,largest}_anon_port using ndd.
> >
> >
> > the problem with both of these is that it affects anything using
> > pcbbind (i'm not sure if anything else besides tcp and udp does,
> > but that's not the point).  and (now i'm stretching my memory,
> > hopefully luke or charles will correct me if i'm wrong :-) as
> > the change was made in one place, there's no (easy) way to tell
> > whether you're binding a port for tcp or udp.
> 
> correct.  so, there's a couple of issues to resolve:
> * what section of sysctl do we put it under? i favour net.inet.ip.*,
>   as it's probably the closest to what the behaviour does (unless we
>   add another section, e.g, net.inet.misc.*)
>         my vote: net.inet.ip.*
> 
> * is it a flag (0 = use 1024..5000, 1 = use 49152..65535), or
>   a `min' and `max' range. i prefer the latter, and have the kernel do
>   some quick sanity checking at sysctl time.
>         my vote: net.inet.ip.userlow (low end of ephemeral port range),
>         and net.inet.ip.userhigh (high end)
> 
> * should the sysctls be protected as net.inet.ip.forwsrcrt is (can't
>   change if securelevel >=1)
>         my vote: protected


Could someone expain the the issues involved with the whole ephemeral
port thing?  Is it just to better conform with RFC standard (even though
there doesn't seem to be much of a consensus in practice), or are there
security implications as well?  Or is the goal to simiply increase the
anon port range?


Jeff Thieleke