zone transfers sticking on one port?
Ragnar Paulson
ragnar at wanware.com
Tue Mar 16 18:58:35 UTC 2004
> Named is an application that uses multiple ports for this specific=20
> function. But blocking one caused it to get totally confused, and =
keep=20
> trying this port. So despite using all these ports, a block on =
one=20
> port basically stopped named from performing this function correctly. =
And=20
> named has all these ports to try, yet it got hung up on this one.
>=20
> Can I ask the question of what is trying to be accomplished with these =
> connections initiatated on random high ports? (and yes, I know I =
can=20
> lock this down to one port - I'm not doing this to be belligerent. =
I'd=20
> just like to know).
>=20
It's a basic function of the TCP/IP architecture. Known services listen =
on a known port (usually in the 0-1024 range, but it has grown from =
there). If I want to connect to an SMTP server, i connect to port 25, =
if i want to connect to a DNS i connect to port 53. However, each =
connection must have a source port. As one IP address can host multiple =
connections (think multi-user operating system like unix, or even a =
single access point NAT router) ... clients are not free, usually, to =
fix themselves to one port.
So a client randomly chooses an "ephemeral" port, (actually the OS =
chooses the port when the client requests a random port)=20
one of the free ports in the range 1025->65535. As soon as the OS has =
told the client a port is free it will initiate the connection attempt. =
There is no mechanism for the client to distinguish the failure to =
respond to this port due to your firewall rule from a failure to respond =
because the remote server is unavailable. Would you have clients cycle =
endlessly through all known ports whenever a remote server failed?
Ragnar
Ragnar
More information about the bind-users
mailing list