Translate

Archives

Configuring IP Dynamic Port Ranges

As you are probably aware, IP port numbers are 16 bit unsigned integers in the range 0 to 65535. IANA (Internet Assigned Numbers Authority) manages these port numbers. See the IANA Service Name and Transport Protocol Port Number Registry for more information.

IANA specifies the range 49152 to 65535 be used for dynamic (AKA private) ports. From the above referenced document:

   Port numbers are assigned in various ways, based on three ranges: System
   Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private
   Ports (49152-65535); the difference uses of these ranges is described in
   RFC6335.

   System Ports are assigned by IETF process for standards-track protocols,
   as per RFC6335.  User Ports are assigned by IANA using the "IETF Review"
   process, the "IESG Approval" process, or the "Expert Review" process, as per
   RFC6335.  Dynamic Ports are not assigned.

Contrary to the IANA, Linux kernels typically use the range 32768 to 61000. In 2007, the Linux kernel maintainers decided to use that range following a short discussion on the Linux kernel mailing list (See lkml.org).

Two kernel settings control the IP dynamic port ranges on a system, i.e. ip_local_port_range and ip_local_reserved_ports.

# pwd
/proc/sys/net/ipv4

# ls | grep port
ip_local_port_range
ip_local_reserved_ports

# cat ip_local_port_range
32768	61000
# cat ip_local_reserved_ports

#

The range specified in ip_local_port_range determines the port assigned to an application by default when the application itself does not specify a TCP or UDP port to use for an outgoing connection. The upper range value (port number) was reduced to 61000 because ports above that number are used for masquerading ports when masquerading is enabled. The lower range value was selected because it was felt that more ports were needed than suggested by IANA.

From the kernel documentation:

ip_local_port_range - 2 INTEGERS
     Defines the local port range that is used by TCP and UDP to
     choose the local port. The first number is the first, the
     second the last local port number. The default values are
     32768 and 61000 respectively.

The ip_local_port_range enables you to add exceptions to the range of ports listed in ip_local_port_range.

From the kernel documentation:

ip_local_reserved_ports - list of comma separated ranges
     Specify the ports which are reserved for known third-party
     applications. These ports will not be used by automatic port
     assignments (e.g. when calling connect() or bind() with port
     number 0). Explicit port allocation behavior is unchanged.

     The format used for both input and output is a comma separated
     list of ranges (e.g. "1,2-4,10-10" for ports 1, 2, 3, 4 and
     10). Writing to the file will clear all previously reserved
     ports and update the current list with the one given in the
     input.

     Note that ip_local_port_range and ip_local_reserved_ports
     settings are independent and both are considered by the kernel
     when determining which ports are available for automatic port
     assignments.

     You can reserve ports which are not in the current
     ip_local_port_range, e.g.:

         $ cat /proc/sys/net/ipv4/ip_local_port_range
          32000  61000
         $ cat /proc/sys/net/ipv4/ip_local_reserved_ports
          8080,9148

      although this is redundant. However such a setting is useful
      if later the port range is changed to a value that will
      include the reserved ports.

      Default: Empty

Comments are closed.