Re: Source port randomisation on NetBSD?

[Stephane Bortzmeyer <stephane+netbsd%bortzmeyer.org@localhost>]

On Sun, Oct 24, 2010 at 02:52:43PM -0700,
 John Nemeth <jnemeth%victoria.tc.ca@localhost> wrote 
 a message of 30 lines which said:

>      This would be more NetBSD-as-a-router.

OK. So there is indeed no solution for NetBSD-as-a-host.

> NOTE: I believe that all reasonably recent versions of named
> automatically use port randomisation.

They do but my main concern was not about the DNS but about TCP-based
services (SSH, BGP, etc).

> Beyond this, I don't know what real world benefits port
> randomisation brings, if any, for the vast majority of hosts.

I refer you to the soon-to-be-RFC 
<ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-tsvwg-port-randomization-09.txt>.
 I
copy here the survey of all free Unices:


Appendix A.  Survey of the algorithms in use by some popular
             implementations

A.1.  FreeBSD

   FreeBSD 8.0 implements Algorithm 1, and in response to this document
   now uses a 'min_port' of 10000 and a 'max_port' of 65535.  [FreeBSD]

A.2.  Linux

   Linux 2.6.15-53-386 implements Algorithm 3, with MD5 as the hash
   algorithm.  If the algorithm is faced with the corner-case scenario
   described in Section 3.5, Algorithm 1 is used instead [Linux].

A.3.  NetBSD

   NetBSD 5.0.1 does not obfuscate its ephemeral port numbers.  It
   selects ephemeral port numbers from the range 49152-65535, starting
   from port 65535, and decreasing the port number for each ephemeral
   port number selected [NetBSD].

A.4.  OpenBSD

   OpenBSD 4.2 implements Algorithm 1, with a 'min_port' of 1024 and a
   'max_port' of 49151.  [OpenBSD]

A.5.  OpenSolaris

   OpenSolaris 2009.06 implements Algorithm 1, with a 'min_port' of
   32768 and a 'max_port' of 65535.  [OpenSolaris]