El 7/8/25 a las 16:01, Grant Edwards escribió:
Take note that when you are using DNS, YOU ARE violating the standard since don't complains with source port randomization. This appeared because vulnerabilities in DNS protocol and almost all servers implement it. Every thing done are done for something, and in this case because:On 2025-08-07, Javier Martinez <[email protected]> wrote:Also if you try to use one port from 32768 to one service you will be able to do so if it's not used by any other.Right, but the problem happens when you do need to bind to a specific port (e.g. 44818) and it's already in use as a local ephemeral port.Ports below 1024 has root privileges (CAP_NET_BIND_SERVICE) because of this, this services are critical, services from 1024 dont because they are not reserved to root.True, but not relevent.Also, you can restrict using ports with iptables if you need for example. So, if you need this port always available, tell iptables that drop any connection from.I don't understand. 1. We don't care what remote source port incoming connections are coming from. The remote ports used in connections don't conflict with local ports.2. Iptables can't prevent a socket from being bound to a particularlocal ephemeral port. I guess if iptables forces the TCP handshake to fail, the socket will _probably_ be closed by the application. The right answer is to use sysctl to reserve specific local ports within the ephemeral range via net.ipv4.ip_local_reserved_ports. I know how the system works. I know how to fix the problem. My question was historical: why/how did Linux end up violating the standards by default? -- Grant
*Users are not admins, so we don't have to reserve them ports *Reserved ports are just below 1024, no root, no bind*To assure users surfing for example, we need to give them random ports. More ports free, more security for web services, dns queries etc
*Resources have to be used, reserving more than 50% of resources for a "if gets used" is a bad idea
*The resource can be reserved by the admin with iptables if required. iptables -A OUTPUT -p tcp --sport 55500 -m CONNTRACK --ctstate NEW -j DROP*Resources must be administrated by admin (a.k.a root), not by lusers that wants their bittorrent port free if they want
OpenPGP_0x57E64E0B7FC3BEDF.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature

