Description of problem: Outgoing ports are picked outside this range, causing trouble for firewalls that are expecting only certain destination ports to be accepted for the traffic coming back into the box. Version-Release number of selected component (if applicable): 9.5.0-16.a6.fc8 How reproducible: Always. Steps to Reproduce: 1. Run bind. 2. Query A records and watch bind use ports outside the range. Actual results: System set ports not obeyed. Expected results: System set port range should be obeyed. Additional info: As far as I can tell, this was not the case in bind in F7.
You're right. Code which creates sockets is changed in 9.5 . I recommend you use query-source{,-v6} option before I create patch.
Or if you have firewall with iptables you will add rule like iptables -A FORWARD -m state --state ESTABILISHED,RELATED -j ACCEPT this rule should allow random incomming ports as response to named's query
Could you please test http://koji.fedoraproject.org/koji/taskinfo?taskID=250133 ? All should work as expected.
I used the query-source option from comment #1 to work around the issue. Thanks for the hints! I'll download and test new build now...
Still the same. Picks random ports, not the one defined in net.ipv4.ip_local_port_range.
Should have said: not the _ones_ defined.
BTW, does avoid-v4-udp-ports take a range of ports as an argument? I tried port:port and port-port, but got syntax errors there. Typing thousands of ports, each is followed by ; seems rather unpractical...
grr, I created patch but forgot apply it :) Could you please test http://koji.fedoraproject.org/koji/taskinfo?taskID=252611 ? Patch is really applied now. About avoid-v4-udp-ports - from manpage and ARM you have to specify list, not range. Let me discuss this option with upstream. Specifying list is really unpractical
Lookin' good! Thanks for the prompt fix. PS. Yeah, you're right about avoid-v4-udp-ports - it more or less useless as it is.
Thank you for feedback. I'm going to apply that patch in next build but upstream doesn't like it because linux kernel doesn't pick port numbers randomly (= lover security). Patch will be temporary solution before upstream extends avoid-v4-udp-ports or query-source options. I expect in the end port numbers will be controlled in named.conf
Hm, upstream doesn't want to do anything now. Would it be possible to use query-source{,-v6} for you? I don't want keep discussed patch downstream
As I understand it, it's the same as the patch in .2 anyway, so should be OK. Hopefully, they'll have a range there (like for instance vsftpd does), so that people can pick ports they want.
(In reply to comment #12) > As I understand it, it's the same as the patch in .2 anyway, so should be OK. > Hopefully, they'll have a range there (like for instance vsftpd does), so that > people can pick ports they want. Yes, I told them it.