Maintained by: NLnet Labs

[Unbound-users] wrong outgoing-port-permit port range handling?

Beastie
Mon Aug 4 11:17:08 CEST 2008


Thanks for you clear answer!

Looks like I'm missed something while reading man unbound.conf, and
get into misunderstanding about all this ranges ;)

Feature request?
May be it would be valuable to implement in the future releases of
Unbound an new configuration option like outgoing-port-range: to be
able clearly direct allowed ports range? It is not so important but
may be valuable... Or append you explanation as a comment to the
unbound.conf man page...

Thanks!




2008/8/4 Wouter Wijngaards <wouter at nlnetlabs.nl>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Beastie,
>
> The default unbound port range is 1024 - 65535 with exceptions for IANA
> allocated ports and some ephemeral port ranges. You thought your range
> was the only range, but instead the permit and avoid lines are parsed in
> order, adding the permitted ports and subtracting the avoided ports from
> the set of ports allowed from use.
>
> Your outgoing-port-permit: 32768-65000 does not change much about it
> (well it removes the default IANA allocation exceptions in that range).
>
> If you want to stop unbound from using port numbers below 32768 use
>        outgoing-port-avoid: 0-32767
> and above 65000 with
>        outgoing-port-avoid: 65001-65535
>
> The two avoid lines make unbound do what you want it to (only take ports
> from 32768 to 65000)
>
> Best regards,
> ~   Wouter
>
> Beastie wrote:
> | Hello.
> |
> | My system is FreeBSD 7.0-RELEASE-p3 and I'm runing Unbound 1.0.1 +
> | libevent-1.3e installed from ports.
> | System firewall is configured to use dynamic firewall rules.
> |
> | ---
> |
> | IPFW configuration:
> | allow ip from any to any via lo0
> | deny ip from any to 127.0.0.0/8
> | deny ip from 127.0.0.0/8 to any
> | add check-state
> | add deny icmp from any to any frag
> | add allow icmp from any to me icmptypes 0,3,11
> | add allow icmp from me to any out keep-state
> | add allow tcp from me to any out keep-state
> | add allow udp from me to any out keep-state
> | add deny tcp from any to any
> | add deny udp from any to any
> | add deny ip from any to any
> |
> | ---
> |
> | unbound.conf
> | server:
> |        verbosity: 0
> |        #statistics-interval: 3600
> |        num-threads: 4
> |        interface: 0.0.0.0
> |        port: 53
> |        outgoing-range: 256
> |        outgoing-port-permit: 32768-65000
> |        msg-cache-size: 32m
> |        msg-cache-slabs: 4
> |        num-queries-per-thread: 1024
> |        rrset-cache-size: 64m
> |        rrset-cache-slabs: 4
> |        cache-max-ttl: 86400
> |        infra-host-ttl: 900
> |        infra-lame-ttl: 900
> |        infra-cache-slabs: 4
> |        infra-cache-numhosts: 10000
> |        infra-cache-lame-size: 10k
> |        do-ip4: yes
> |        do-ip6: no
> |        do-udp: yes
> |        do-tcp: yes
> |        do-daemonize: yes
> |
> |        access-control: 0.0.0.0/0 refuse
> |        access-control: 10.1.1.0/24 allow
> |        access-control: 192.168.15.0/24 allow
> |        access-control: 127.0.0.0/8 allow
> |        access-control: ::0/0 refuse
> |        access-control: ::1 allow
> |        access-control: ::ffff:127.0.0.1 allow
> |
> |        chroot: "/usr/local/etc/unbound"
> |        username: "unbound"
> |        directory: "/usr/local/etc/unbound"
> |        logfile: "/usr/local/etc/unbound/unbound.log"
> |        #logfile: ""
> |        use-syslog: no
> |        pidfile: "/usr/local/etc/unbound/unbound.pid"
> |        root-hints: "/usr/local/etc/unbound/named.cache"
> |
> |        identity: "a"
> |        version: "1"
> |        hide-identity: yes
> |        hide-version: yes
> |        harden-glue: yes
> |        do-not-query-address: 127.0.0.1/8
> |        do-not-query-address: ::1
> |        do-not-query-localhost: yes
> |        module-config: "iterator"
> |
> | ---
> |
> |>From the ipfw -d show output I can see that Unbound is actualy using
> | source UDP port nubers that is outside from the defined
> | outgoing-port-permit range:
> |
> | 01300     1      40 (4s) STATE udp 11.112.44.xxx 19405 <->
> 195.59.44.134 53
> | 01300     1      75 (4s) STATE udp 11.112.44.xxx 12506 <-> 63.209.3.131 53
> | 01300     1     326 (3s) STATE udp 11.112.44.xxx 36161 <-> 66.218.71.63 53
> | 01300     1      40 (4s) STATE udp 11.112.44.xxx 33033 <-> 124.211.40.3 53
> | 01300     1      75 (4s) STATE udp 11.112.44.xxx 27274 <-> 63.209.3.132 53
> | 01300     1      40 (4s) STATE udp 11.112.44.xxx 24709 <-> 63.209.3.132 53
> | 01300     1      40 (4s) STATE udp 11.112.44.xxx 39301 <-> 63.209.3.131 53
> | 01300     1      92 (4s) STATE udp 11.112.44.xxx 63155 <->
> 195.59.44.134 53
> | 01300     1      75 (4s) STATE udp 11.112.44.xxx 29005 <->
> 81.52.250.132 53
> | 01300     1     545 (3s) STATE udp 11.112.44.xxx 65480 <-> 192.26.92.30 53
> | 01300     1     335 (3s) STATE udp 11.112.44.xxx 42386 <->
> 192.52.178.30 53
> | 01300     1     328 (3s) STATE udp 11.112.44.xxx 32650 <-> 192.35.51.30 53
> | 01300     1     333 (3s) STATE udp 11.112.44.xxx 15798 <-> 192.33.14.30 53
> | 01300     1      77 (4s) STATE udp 11.112.44.xxx 60832 <-> 124.211.40.3 53
> | 01300     1      40 (4s) STATE udp 11.112.44.xxx 21815 <->
> 195.59.44.134 53
> | 01300     1      75 (4s) STATE udp 11.112.44.xxx 23089 <->
> 195.59.44.134 53
> | 01300     1      40 (3s) STATE udp 11.112.44.xxx 4915 <-> 81.52.250.132 53
> |
> |
> | Is it becouse of problems with my unbound.conf ?
> | Thanks!
> | _______________________________________________
> | Unbound-users mailing list
> | Unbound-users at unbound.net
> | http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkiWs6QACgkQkDLqNwOhpPiYwACgjj398KO+TLiWmwcbdmRFkfsD
> yloAoIBzo0LsYsTfgobVipOF9k6tXkhz
> =Bq/w
> -----END PGP SIGNATURE-----
>