On 2025-08-07, Javier Martinez <[email protected]> wrote:
> Also if you try to use one port from 32768 to one service you will
> be able to do so if it's not used by any other.
Right, but the problem happens when you do need to bind to a specific
port (e.g. 44818) and it's already in use as a local ephemeral port.
> Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because
> of this, this services are critical, services from 1024 dont because
> they are not reserved to root.
True, but not relevent.
> Also, you can restrict using ports with iptables if you need for
> example. So, if you need this port always available, tell iptables
> that drop any connection from.
I don't understand.
1. We don't care what remote source port incoming connections are
coming from. The remote ports used in connections don't conflict
with local ports.
2. Iptables can't prevent a socket from being bound to a particular
local ephemeral port. I guess if iptables forces the TCP handshake
to fail, the socket will _probably_ be closed by the application.
The right answer is to use sysctl to reserve specific local ports
within the ephemeral range via net.ipv4.ip_local_reserved_ports.
I know how the system works. I know how to fix the problem. My
question was historical: why/how did Linux end up violating the
standards by default?
--
Grant