Linux – How safe is it to change the Linux Ephemeral Port range

iplinux

I see the following ephemeral port range on my Linux box.

sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768    61000

I want to extend the port range to start from around 16000. A quick question here being: how safe is it to change the range in context to the other applications? Will other applications be affected by this change? I understand that an application is affected only if it is using the port(s) in the specified port range. But in general, how are these kind of issues dealt it?

Best Answer

Changing the ephemeral port range might cause problems if you are using Mesos.

Mesos advertises the resources of a host out to various Mesos Frameworks which then can choose to use the advertised resources. The advertised resources include CPU, memory, ports, etc. The default set of ports that Mesos advertises is 31000-32000. This avoids a clash with the default Linux ephemeral port range of 32768-61000.

Notably, Mesos doesn't know about whether a port is used by some other process, it just tracks the assignment of ports to the entities it orchestrates (Mesos Tasks & Mesos Executors). So if you change the ephemeral port range such that it overlaps with the Mesos port range, it's likely that some arbitrary process will use an ephemeral port that is actually one of those "Mesos ports". This could lead to Mesos offering that port to a Mesos Framework, which would encounter seemingly random failures of its Mesos Executors and/or Mesos Tasks as they will be unable to bind to that port.

If you need to increase your ephemeral port range and also need to run Mesos, then you can modify the advertised ports through a mesos-slave (soon to be renamed to mesos-agent) configuration parameter of --resources.

Related Solutions

Linux – Why doesn’t Linux use the IANA Ephemeral port range

There was a time when IANA only assigned ports up to 1023. See RFC1700. At one time this was a standard. Most of the time I have no trouble finding when things change in the stream of RFC's but for the question of changing ports from 1024 to 49152 from registered to assigned I came up short.

In terms of Linux history, there was a question raised about the default ip_local_port_range in 2007. At that time it was decided to use the Linux range you mention for fear that high port numbers might cause problems and beginning the range at 49152 might leave too few port numbers in the pool. See this and its thread. The expressed thought at the time was that beginning at 32768 was within the spirit of the IANA's procedures, if not fully conformant. In reading this I infer that the developers assumed most assignments would occur from the bottom of the range and move up. At this writing I count a little more than 100 port numbers assigned (not counting different protocols as separate) between 32768 and 49152, so that has held up pretty well over the last five years.

I don't know why the range was considered too small, but I can imagine two reasons:

Port numbers are randomized to thwart certain attacks. The more addresses in the pool, the better this defense can work.
High activity servers might have trouble with port number exhaustion. While ports might be ephemeral, their use is not instantaneous. In particular sockets can last several minutes after TCP close.

This blog post touches on number 2, and suggests an answer should you wish your Linux systems to use a different range of local ports. (Using /etc/sysctl.d to define a range you like. There is also a ip_local_reserved_ports entry that may be of use if a particular conflict arrises. These match up with the /proc/sys entry you quote.)

In summary. The Linux defaults don't match the current IANA specifications, but any particular Linux system can, if its owner desires.

Linux – How to change the IP and gateway addresses permanently

As stated by jpkotta, network-manager is likely the culprit.

You can see its status by running ps -aux | grep network-manager | grep <username>. If you get a result, it is running, otherwise it isn't.

It will keep overwriting any changes you make with ifconfig as long as it is running.

Kill network-manager by running sudo service network-manager stop.
You can bring it back up any time with sudo service network-manager start.

Once it is disabled, use ifconfig to set your static, OR edit your /etc/network/interfaces file to include something like:

auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1
dns-nameservers 8.8.8.8

Finally, run ifup -a to bring up the interfaces you have in your /etc/network/interfaces file.

All of this can be avoided though, if you'd rather not mess around with killing network manager. Just click on its icon in the taskbar and click 'edit connections'.

Best Answer

Related Solutions

Linux – Why doesn’t Linux use the IANA Ephemeral port range

Linux – How to change the IP and gateway addresses permanently

Related Question