Bug 223997 - FreeBSD Handbook Section 11.11 Guidelines on net.inet.ip.portrange obselete
Summary: FreeBSD Handbook Section 11.11 Guidelines on net.inet.ip.portrange obselete
Status: New
Alias: None
Product: Documentation
Classification: Unclassified
Component: Documentation (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-doc (Nobody)
Depends on:
Reported: 2017-11-30 16:25 UTC by Rick Miller
Modified: 2021-03-31 07:46 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Rick Miller 2017-11-30 16:25:52 UTC
The FreeBSD Handbook[1] had this to say regarding net.inet.ip.portrange.* sysctl variables:

“The net.inet.ip.portrange.* sysctl(8) variables control the port number ranges automatically bound to TCP and UDP sockets. There are three ranges: a low range, a default range, and a high range. Most network programs use the default range which is controlled by net.inet.ip.portrange.first and net.inet.ip.portrange.last, which default to 1024 and 5000, respectively. Bound port ranges are used for outgoing connections and it is possible to run the system out of ports under certain circumstances. This most commonly occurs when running a heavily loaded web proxy. The port range is not an issue when running a server which handles mainly incoming connections, such as a web server, or has a limited number of outgoing connections, such as a mail relay. For situations where there is a shortage of ports, it is recommended to increase net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may be reasonable. Consider firewall effects when changing the port range. Some firewalls may block large ranges of ports, usually low-numbered ports, and expect systems to use higher ranges of ports for outgoing connections. For this reason, it is not recommended that the value of net.inet.ip.portrange.first be lowered.”

FreeBSD 11.1 deploys values contrary to those above:

# uname -sr
# sysctl net.inet.ip.portrange
net.inet.ip.portrange.randomtime: 45
net.inet.ip.portrange.randomcps: 10
net.inet.ip.portrange.randomized: 1
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.first: 10000
net.inet.ip.portrange.lowlast: 600
net.inet.ip.portrange.lowfirst: 1023

A commit in March 2008[2] sets net.inet.ip.portrange.first and last to 10000 and 65535 respectively. It’s apparently obvious The FreeBSD Handbook includes obsolete guidelines. This raises the question “how does this change the advice given in The Handbook?”

Can The Handbook be updated to reflect modern guidelines surrounding using these kernel tunables?

[1] https://www.freebsd.org/doc/handbook/configtuning-kernel-limits.html
[2] https://svnweb.freebsd.org/base/stable/11/sys/netinet/in.h?revision=176805&view=markup
Comment 1 dewayne 2021-03-31 07:46:45 UTC
Thanks Rick,
I went looking for information about net.inet.ip.portrange and found this PR.  Nearly time to start pre-school. 

Unfortunately the sysctl doc is quite scant
# sysctl -d net.inet.ip.portrange
net.inet.ip.portrange: IP Ports
net.inet.ip.portrange.randomtime: Minimum time to keep sequental port allocation before switching to a random one
net.inet.ip.portrange.randomcps: Maximum number of random port allocations before switching to a sequental one
net.inet.ip.portrange.randomized: Enable random port allocation

and the "man tuning" on 12.2Stable is similar to the handbook. 

https://docs.freebsd.org/en/books/handbook/config/#configtuning-kernel-limits net.inet.ip.portrange.*