Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Wed, 25 Apr 2001 08:44:03 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Wed, 25 Apr 2001 08:43:54 -0400 Received: from smtp1.cern.ch ([137.138.128.38]:17933 "EHLO smtp1.cern.ch") by vger.kernel.org with ESMTP id ; Wed, 25 Apr 2001 08:43:47 -0400 Date: Wed, 25 Apr 2001 14:43:38 +0200 From: Jamie Lokier To: "Dr. Michael Weller" Cc: linux-kernel@vger.kernel.org, linux-net@vger.kernel.org Subject: Re: Dynamic TCP reserved ports allocated in which range? Message-ID: <20010425144338.B18214@pcep-jamie.cern.ch> In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from eowmob@exp-math.uni-essen.de on Thu, Apr 19, 2001 at 10:52:00AM +0200 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Dr. Michael Weller wrote: > For a firewall setup I need to know in which range applications like > rsh, or better yet the rresvport() libc function allocate reserved ports. > > Do I have to expect ports in the whole 1..1024 range (maybe omitting those > already in use by other servers) or is only a limited range used (like > 512-1023). This isn't a kernel question as the allocation is handled entirely by userspace. Userspace tries each port in turn until it finds one that isn't used at the moment. The non-privileged local port range can be read from and written to /proc/sys/net/ipv4/ip_local_port_range, but that's not your question. The man page for rresvport() says: The rresvport() function is used to obtain a socket with a privileged address bound to it. This socket is suitable for use by rcmd() and several other functions. Privileged Internet ports are those in the range 0 to 1023. Only the super-user is allowed to bind an address of this sort to a socket. For a firewall, you should probably distinguish these ports from fixed services ports (like ssh and smtp) by having different rules for Outgoing and Incoming connections. This is done by matching on the TCP SYN and ACK flags (see any firewall tutorial). enjoy, -- Jamie - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/