Solaris
Solaris uses the "ndd" utility program to change tunable IP stack parameters. The ephemeral ports on Solaris can be tuned individually for both TCP and UDP, so there are really two separate ephemeral port ranges. Solaris also provides options to change the privileged port range (ports only processes running with superuser privileges can use).The good news is that Solaris by default provides a large range at the end of the port range (32768 through 65535, or the upper 50%) so it is unlikely you will need to change the range from the default values.
The example below shows how to query the existing values for the TCP ephemeral ports, and change the range to 49152 through 61000:
#ndd -get /dev/tcp tcp_smallest_anon_port
OR
# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port 32768 65535 # /usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 49152 # /usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 61000 # /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port 49152 61000
Linux
Linux allows you to view and change the ephemeral port range by simply using the file /proc/sys/net/ipv4/ip_local_port_range. For example, this shows the default configuration on a kernel 2.2 system:To change this to the preferred range, you could do (as superuser):$ cat /proc/sys/net/ipv4/ip_local_port_range 1024 4999
Note that you would need to do this each time the system boots, so be sure to add a line to a system startup script such as /etc/rc.local so your range is always used.# echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range
Also note that the Linux 2.4 kernel will default the range of 32768 through 61000 if adequate kernel memory is available, so changing the range may not be necessary on newer Linux systems.
Finally, also note that you may be able to use the sysctl interface to change the settings rather than using the /proc filesystem. The name of the sysctl parameter is "net.ipv4.ip_local_port_range". Edit the/etc/sysctl.conf file if you have it, or have a startup script run the sysctl command manually if you want to change this parameter using sysctl.
HP-UX
HP-UX uses the "ndd" utility program to change tunable IP stack parameters. The ephemeral ports on HP-UX can be tuned individually for both TCP and UDP, so there are really two separate ephemeral port ranges. HP-UX also provides options to change the privileged port range (ports only processes running with superuser privileges can use).The good news is that HP-UX uses our recommended port range (49152 through 65535) so it is unlikely you will need to change the range from the default values.
The example below shows how to query the existing values for the TCP ephemeral ports, and change the range to 50001 through 61000:
Note that if you change the range values, you must do it each time the system boots. As we've mentioned, the default values are sufficient so you do not need to change the range values, but if you decide to proceed, the preferred way to do this for HP-UX is to edit the file /etc/rc.config.d/nddconf and add entries. For example, you might append these lines to your /etc/rc.config.d/nddconf file:# /usr/bin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port 49152 65535 # /usr/bin/ndd -set /dev/tcp tcp_smallest_anon_port 50001 # /usr/bin/ndd -set /dev/tcp tcp_largest_anon_port 61000 # /usr/bin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port 50001 61000
If you do that, be sure that the entries are numbered accordingly. For example, if there are 4 entries already present, you would see them numbered 0 through 3 (i.e. TRANSPORT_NAME[3]=...). In that case, the entries you append need to be numbered after the existing entries.TRANSPORT_NAME[0]=tcp NDD_NAME[0]=tcp_largest_anon_port NDD_VALUE[0]=65535 TRANSPORT_NAME[1]=tcp NDD_NAME[1]=tcp_smallest_anon_port NDD_VALUE[1]=49152
AIX
AIX uses the "no" command to set network options. AIX uses two separate ephemeral port ranges, one for TCP and UDP, and both default to the values 32768 through 65535:The default range is sufficient, but you can change it using the no command. Here is an example that sets the TCP ephemeral port range to 49152 through 65535:# /usr/sbin/no -a | fgrep ephemeral tcp_ephemeral_low = 32768 tcp_ephemeral_high = 65535 udp_ephemeral_low = 32768 udp_ephemeral_high = 65535
The options you set with no must be done each time the system starts up. One way to do that is to edit /etc/rc.tcpip and insert your no commands just before the script starts running the server daemons.# /usr/sbin/no -o tcp_ephemeral_low=49152 -o tcp_ephemeral_high=65535
No comments:
Post a Comment