Thanks for you clear answer! Looks like I'm missed something while reading man unbound.conf, and get into misunderstanding about all this ranges ;) Feature request? May be it would be valuable to implement in the future releases of Unbound an new configuration option like outgoing-port-range: to be able clearly direct allowed ports range? It is not so important but may be valuable... Or append you explanation as a comment to the unbound.conf man page... Thanks! 2008/8/4 Wouter Wijngaards <wouter at nlnetlabs.nl>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Beastie, > > The default unbound port range is 1024 - 65535 with exceptions for IANA > allocated ports and some ephemeral port ranges. You thought your range > was the only range, but instead the permit and avoid lines are parsed in > order, adding the permitted ports and subtracting the avoided ports from > the set of ports allowed from use. > > Your outgoing-port-permit: 32768-65000 does not change much about it > (well it removes the default IANA allocation exceptions in that range). > > If you want to stop unbound from using port numbers below 32768 use > outgoing-port-avoid: 0-32767 > and above 65000 with > outgoing-port-avoid: 65001-65535 > > The two avoid lines make unbound do what you want it to (only take ports > from 32768 to 65000) > > Best regards, > ~ Wouter > > Beastie wrote: > | Hello. > | > | My system is FreeBSD 7.0-RELEASE-p3 and I'm runing Unbound 1.0.1 + > | libevent-1.3e installed from ports. > | System firewall is configured to use dynamic firewall rules. > | > | --- > | > | IPFW configuration: > | allow ip from any to any via lo0 > | deny ip from any to 127.0.0.0/8 > | deny ip from 127.0.0.0/8 to any > | add check-state > | add deny icmp from any to any frag > | add allow icmp from any to me icmptypes 0,3,11 > | add allow icmp from me to any out keep-state > | add allow tcp from me to any out keep-state > | add allow udp from me to any out keep-state > | add deny tcp from any to any > | add deny udp from any to any > | add deny ip from any to any > | > | --- > | > | unbound.conf > | server: > | verbosity: 0 > | #statistics-interval: 3600 > | num-threads: 4 > | interface: 0.0.0.0 > | port: 53 > | outgoing-range: 256 > | outgoing-port-permit: 32768-65000 > | msg-cache-size: 32m > | msg-cache-slabs: 4 > | num-queries-per-thread: 1024 > | rrset-cache-size: 64m > | rrset-cache-slabs: 4 > | cache-max-ttl: 86400 > | infra-host-ttl: 900 > | infra-lame-ttl: 900 > | infra-cache-slabs: 4 > | infra-cache-numhosts: 10000 > | infra-cache-lame-size: 10k > | do-ip4: yes > | do-ip6: no > | do-udp: yes > | do-tcp: yes > | do-daemonize: yes > | > | access-control: 0.0.0.0/0 refuse > | access-control: 10.1.1.0/24 allow > | access-control: 192.168.15.0/24 allow > | access-control: 127.0.0.0/8 allow > | access-control: ::0/0 refuse > | access-control: ::1 allow > | access-control: ::ffff:127.0.0.1 allow > | > | chroot: "/usr/local/etc/unbound" > | username: "unbound" > | directory: "/usr/local/etc/unbound" > | logfile: "/usr/local/etc/unbound/unbound.log" > | #logfile: "" > | use-syslog: no > | pidfile: "/usr/local/etc/unbound/unbound.pid" > | root-hints: "/usr/local/etc/unbound/named.cache" > | > | identity: "a" > | version: "1" > | hide-identity: yes > | hide-version: yes > | harden-glue: yes > | do-not-query-address: 127.0.0.1/8 > | do-not-query-address: ::1 > | do-not-query-localhost: yes > | module-config: "iterator" > | > | --- > | > |>From the ipfw -d show output I can see that Unbound is actualy using > | source UDP port nubers that is outside from the defined > | outgoing-port-permit range: > | > | 01300 1 40 (4s) STATE udp 11.112.44.xxx 19405 <-> > 195.59.44.134 53 > | 01300 1 75 (4s) STATE udp 11.112.44.xxx 12506 <-> 63.209.3.131 53 > | 01300 1 326 (3s) STATE udp 11.112.44.xxx 36161 <-> 66.218.71.63 53 > | 01300 1 40 (4s) STATE udp 11.112.44.xxx 33033 <-> 124.211.40.3 53 > | 01300 1 75 (4s) STATE udp 11.112.44.xxx 27274 <-> 63.209.3.132 53 > | 01300 1 40 (4s) STATE udp 11.112.44.xxx 24709 <-> 63.209.3.132 53 > | 01300 1 40 (4s) STATE udp 11.112.44.xxx 39301 <-> 63.209.3.131 53 > | 01300 1 92 (4s) STATE udp 11.112.44.xxx 63155 <-> > 195.59.44.134 53 > | 01300 1 75 (4s) STATE udp 11.112.44.xxx 29005 <-> > 81.52.250.132 53 > | 01300 1 545 (3s) STATE udp 11.112.44.xxx 65480 <-> 192.26.92.30 53 > | 01300 1 335 (3s) STATE udp 11.112.44.xxx 42386 <-> > 192.52.178.30 53 > | 01300 1 328 (3s) STATE udp 11.112.44.xxx 32650 <-> 192.35.51.30 53 > | 01300 1 333 (3s) STATE udp 11.112.44.xxx 15798 <-> 192.33.14.30 53 > | 01300 1 77 (4s) STATE udp 11.112.44.xxx 60832 <-> 124.211.40.3 53 > | 01300 1 40 (4s) STATE udp 11.112.44.xxx 21815 <-> > 195.59.44.134 53 > | 01300 1 75 (4s) STATE udp 11.112.44.xxx 23089 <-> > 195.59.44.134 53 > | 01300 1 40 (3s) STATE udp 11.112.44.xxx 4915 <-> 81.52.250.132 53 > | > | > | Is it becouse of problems with my unbound.conf ? > | Thanks! > | _______________________________________________ > | Unbound-users mailing list > | Unbound-users at unbound.net > | http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkiWs6QACgkQkDLqNwOhpPiYwACgjj398KO+TLiWmwcbdmRFkfsD > yloAoIBzo0LsYsTfgobVipOF9k6tXkhz > =Bq/w > -----END PGP SIGNATURE----- >