Random source port isn't random?

Thu Aug 7 00:08:21 UTC 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Northeast wrote:
>
> I would like this number to be truly random. In particular I need my two
> caching servers serving my mail exchanges to use different ones. I know
> I could do this by specifying it explicitly, differently, in the two but
> this could break if by some chance the ports I specified happened to be
> in use. I would like it to behave as documented.

Pick one outside of the anonymous/ephemeral port range (<32768) that is
currently unused. Then only if a specific server application were
started would it conflict. And you'd probably notice if you added a new
server application that didn't work!

Historically 53 was always used for both queries and answers, but you
may prefer to ensure the firewall understands the distinction or
monitors state of the queries in some way before doing this, depending
on the firewall rules.

> This has come to light because of a misconfigured third party firewall
> which is blocking UDP packets on source port 32768 (or possibly the
> responses back to me). The admin's explanation was that he needed to do
> this to protect his rpc.statd which listens on this port. I have
> attempted to point out that he has this backwards but I suspect I will
> not get anywhere.

Sounds like a nasty firewall config, most go for some sort of DNS state
information to only allow responses to genuine DNS requests to return.
You can't be 100% sure the replies are genuine but that is life in DNS
world.

Is relying on rpc.statd to grab 32768 dodgy firewalling technique as it
may depend on boot order, which might change, or statd might be
restarted later for some reason?! Not sure I try not to run rpc
services, and I don't let them anywhere near the Internet.

You either allow the whole ephemeral port range to do outgoing queries,
if security isn't THAT critical, or you do smarter firewalling, I
suspect anything else is digging a hole for yourselves.