Maintained by: NLnet Labs

[Unbound-users] wrong outgoing-port-permit port range handling?

Wouter Wijngaards
Mon Aug 4 09:45:41 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Beastie,

The default unbound port range is 1024 - 65535 with exceptions for IANA
allocated ports and some ephemeral port ranges. You thought your range
was the only range, but instead the permit and avoid lines are parsed in
order, adding the permitted ports and subtracting the avoided ports from
the set of ports allowed from use.

Your outgoing-port-permit: 32768-65000 does not change much about it
(well it removes the default IANA allocation exceptions in that range).

If you want to stop unbound from using port numbers below 32768 use
	outgoing-port-avoid: 0-32767
and above 65000 with
	outgoing-port-avoid: 65001-65535

The two avoid lines make unbound do what you want it to (only take ports
from 32768 to 65000)

Best regards,
~   Wouter

Beastie wrote:
| Hello.
|
| My system is FreeBSD 7.0-RELEASE-p3 and I'm runing Unbound 1.0.1 +
| libevent-1.3e installed from ports.
| System firewall is configured to use dynamic firewall rules.
|
| ---
|
| IPFW configuration:
| allow ip from any to any via lo0
| deny ip from any to 127.0.0.0/8
| deny ip from 127.0.0.0/8 to any
| add check-state
| add deny icmp from any to any frag
| add allow icmp from any to me icmptypes 0,3,11
| add allow icmp from me to any out keep-state
| add allow tcp from me to any out keep-state
| add allow udp from me to any out keep-state
| add deny tcp from any to any
| add deny udp from any to any
| add deny ip from any to any
|
| ---
|
| unbound.conf
| server:
|        verbosity: 0
|        #statistics-interval: 3600
|        num-threads: 4
|        interface: 0.0.0.0
|        port: 53
|        outgoing-range: 256
|        outgoing-port-permit: 32768-65000
|        msg-cache-size: 32m
|        msg-cache-slabs: 4
|        num-queries-per-thread: 1024
|        rrset-cache-size: 64m
|        rrset-cache-slabs: 4
|        cache-max-ttl: 86400
|        infra-host-ttl: 900
|        infra-lame-ttl: 900
|        infra-cache-slabs: 4
|        infra-cache-numhosts: 10000
|        infra-cache-lame-size: 10k
|        do-ip4: yes
|        do-ip6: no
|        do-udp: yes
|        do-tcp: yes
|        do-daemonize: yes
|
|        access-control: 0.0.0.0/0 refuse
|        access-control: 10.1.1.0/24 allow
|        access-control: 192.168.15.0/24 allow
|        access-control: 127.0.0.0/8 allow
|        access-control: ::0/0 refuse
|        access-control: ::1 allow
|        access-control: ::ffff:127.0.0.1 allow
|
|        chroot: "/usr/local/etc/unbound"
|        username: "unbound"
|        directory: "/usr/local/etc/unbound"
|        logfile: "/usr/local/etc/unbound/unbound.log"
|        #logfile: ""
|        use-syslog: no
|        pidfile: "/usr/local/etc/unbound/unbound.pid"
|        root-hints: "/usr/local/etc/unbound/named.cache"
|
|        identity: "a"
|        version: "1"
|        hide-identity: yes
|        hide-version: yes
|        harden-glue: yes
|        do-not-query-address: 127.0.0.1/8
|        do-not-query-address: ::1
|        do-not-query-localhost: yes
|        module-config: "iterator"
|
| ---
|
|>From the ipfw -d show output I can see that Unbound is actualy using
| source UDP port nubers that is outside from the defined
| outgoing-port-permit range:
|
| 01300     1      40 (4s) STATE udp 11.112.44.xxx 19405 <->
195.59.44.134 53
| 01300     1      75 (4s) STATE udp 11.112.44.xxx 12506 <-> 63.209.3.131 53
| 01300     1     326 (3s) STATE udp 11.112.44.xxx 36161 <-> 66.218.71.63 53
| 01300     1      40 (4s) STATE udp 11.112.44.xxx 33033 <-> 124.211.40.3 53
| 01300     1      75 (4s) STATE udp 11.112.44.xxx 27274 <-> 63.209.3.132 53
| 01300     1      40 (4s) STATE udp 11.112.44.xxx 24709 <-> 63.209.3.132 53
| 01300     1      40 (4s) STATE udp 11.112.44.xxx 39301 <-> 63.209.3.131 53
| 01300     1      92 (4s) STATE udp 11.112.44.xxx 63155 <->
195.59.44.134 53
| 01300     1      75 (4s) STATE udp 11.112.44.xxx 29005 <->
81.52.250.132 53
| 01300     1     545 (3s) STATE udp 11.112.44.xxx 65480 <-> 192.26.92.30 53
| 01300     1     335 (3s) STATE udp 11.112.44.xxx 42386 <->
192.52.178.30 53
| 01300     1     328 (3s) STATE udp 11.112.44.xxx 32650 <-> 192.35.51.30 53
| 01300     1     333 (3s) STATE udp 11.112.44.xxx 15798 <-> 192.33.14.30 53
| 01300     1      77 (4s) STATE udp 11.112.44.xxx 60832 <-> 124.211.40.3 53
| 01300     1      40 (4s) STATE udp 11.112.44.xxx 21815 <->
195.59.44.134 53
| 01300     1      75 (4s) STATE udp 11.112.44.xxx 23089 <->
195.59.44.134 53
| 01300     1      40 (3s) STATE udp 11.112.44.xxx 4915 <-> 81.52.250.132 53
|
|
| Is it becouse of problems with my unbound.conf ?
| Thanks!
| _______________________________________________
| Unbound-users mailing list
| Unbound-users at unbound.net
| http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiWs6QACgkQkDLqNwOhpPiYwACgjj398KO+TLiWmwcbdmRFkfsD
yloAoIBzo0LsYsTfgobVipOF9k6tXkhz
=Bq/w
-----END PGP SIGNATURE-----