Wednesday, 24 September 2014

How To check and change the TCP Anon Port range in solaris,linux,hp-ux,aix

Solaris

Solaris uses the "ndd" utility program to change tunable IP stack parameters.  The ephemeral ports on Solaris can be tuned individually for both TCP and UDP, so there are really two separate ephemeral port ranges.  Solaris also provides options to change the privileged port range (ports only processes running with superuser privileges can use).
The good news is that Solaris by default provides a large range at the end of the port range (32768 through 65535, or the upper 50%) so it is unlikely you will need to change the range from the default values.
The example below shows how to query the existing values for the TCP ephemeral ports, and change the range to 49152 through 61000:
          #ndd -get /dev/tcp tcp_smallest_anon_port
            OR
# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
32768

65535
# /usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 49152
# /usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 61000
# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
49152

61000


Linux

Linux allows you to view and change the ephemeral port range by simply using the file /proc/sys/net/ipv4/ip_local_port_range.  For example, this shows the default configuration on a kernel 2.2 system:
$ cat /proc/sys/net/ipv4/ip_local_port_range 
1024 4999
To change this to the preferred range, you could do (as superuser):
# echo "49152 65535" > /proc/sys/net/ipv4/ip_local_port_range 
Note that you would need to do this each time the system boots, so be sure to add a line to a system startup script such as /etc/rc.local so your range is always used.
Also note that the Linux 2.4 kernel will default the range of 32768 through 61000 if adequate kernel memory is available, so changing the range may not be necessary on newer Linux systems.
Finally, also note that you may be able to use the sysctl interface to change the settings rather than using the /proc filesystem. The name of the sysctl parameter is "net.ipv4.ip_local_port_range".  Edit the/etc/sysctl.conf file if you have it, or have a startup script run the sysctl command manually if you want to change this parameter using sysctl.

HP-UX

HP-UX uses the "ndd" utility program to change tunable IP stack parameters.  The ephemeral ports on HP-UX can be tuned individually for both TCP and UDP, so there are really two separate ephemeral port ranges.  HP-UX also provides options to change the privileged port range (ports only processes running with superuser privileges can use).
The good news is that HP-UX uses our recommended port range (49152 through 65535) so it is unlikely you will need to change the range from the default values.
The example below shows how to query the existing values for the TCP ephemeral ports, and change the range to 50001 through 61000:
# /usr/bin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
49152

65535
# /usr/bin/ndd -set /dev/tcp tcp_smallest_anon_port 50001
# /usr/bin/ndd -set /dev/tcp tcp_largest_anon_port 61000
# /usr/bin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
50001

61000
Note that if you change the range values, you must do it each time the system boots.  As we've mentioned, the default values are sufficient so you do not need to change the range values, but if you decide to proceed, the preferred way to do this for HP-UX is to edit the file /etc/rc.config.d/nddconf and add entries.  For example, you might append these lines to your /etc/rc.config.d/nddconf file:
TRANSPORT_NAME[0]=tcp
NDD_NAME[0]=tcp_largest_anon_port
NDD_VALUE[0]=65535

TRANSPORT_NAME[1]=tcp
NDD_NAME[1]=tcp_smallest_anon_port
NDD_VALUE[1]=49152
If you do that, be sure that the entries are numbered accordingly.  For example, if there are 4 entries already present, you would see them numbered 0 through 3 (i.e. TRANSPORT_NAME[3]=...).  In that case, the entries you append need to be numbered after the existing entries.

AIX

AIX uses the "no" command to set network options.  AIX uses two separate ephemeral port ranges, one for TCP and UDP, and both default to the values 32768 through 65535:
# /usr/sbin/no -a | fgrep ephemeral
        tcp_ephemeral_low = 32768
       tcp_ephemeral_high = 65535
        udp_ephemeral_low = 32768
       udp_ephemeral_high = 65535
The default range is sufficient, but you can change it using the no command.  Here is an example that sets the TCP ephemeral port range to 49152 through 65535:
# /usr/sbin/no -o tcp_ephemeral_low=49152 -o tcp_ephemeral_high=65535
The options you set with no must be done each time the system starts up.  One way to do that is to edit /etc/rc.tcpip and insert your no commands just before the script starts running the server daemons.


No comments:

Post a Comment