iptables -A OUTPUT -p tcp --sport 55500 -j DROP
Since ephemeral ports are used by clients and selected randomly, you force to switch another one.
Unpriv ports used by services not started by root are the irrelevant ones. No all people has "bittorrent" in their systems and need it available, neither nobody has ejabberd and needs this port free. Anyone can use netcat to listen anything to your reserved port since ports above 1024 are for use FREELY. Netcat will not check if the is reserved, only if its free. If the port is below 1024 and has not privs, kernel will stop it. But just because a permissions question.
If I want clone a harddisk image from my system to a remote one I will switch the first one above 1025 to put ncat/netcat, if it fails because its used I would switch another one.
If one admin needs one of them available because will use this service could use iptables to forbid using it.
Getting unpriv services hardmasking ports in one system I think it's a silly and crazy idea and a waste of resources including a security risk because source ports shall be selected randomly and is not the same switching between 10000 ports and switching between 32767 in strength of random. This is worse if your system has a lot of clients.
Neither no system will use ALL unpriv reserved ports to unpriv services. So you can't reserve 25000 (or more) ports to be able some day to use "one of them" having the other permanently unused.
DNS protocol is an example that not all ideas standarized are good ideas, as with DNSSEC or with the lack of randomized source of dns queries.
El 7/8/25 a las 16:01, Grant Edwards escribió:
On 2025-08-07, Javier Martinez <[email protected]> wrote:Also if you try to use one port from 32768 to one service you will be able to do so if it's not used by any other.Right, but the problem happens when you do need to bind to a specific port (e.g. 44818) and it's already in use as a local ephemeral port.Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because of this, this services are critical, services from 1024 dont because they are not reserved to root.True, but not relevent.Also, you can restrict using ports with iptables if you need for example. So, if you need this port always available, tell iptables that drop any connection from.I don't understand. 1. We don't care what remote source port incoming connections are coming from. The remote ports used in connections don't conflict with local ports.2. Iptables can't prevent a socket from being bound to a particularlocal ephemeral port. I guess if iptables forces the TCP handshake to fail, the socket will _probably_ be closed by the application. The right answer is to use sysctl to reserve specific local ports within the ephemeral range via net.ipv4.ip_local_reserved_ports. I know how the system works. I know how to fix the problem. My question was historical: why/how did Linux end up violating the standards by default? -- Grant
OpenPGP_0x57E64E0B7FC3BEDF.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature

