Bug 391931 - Bind doesn't obey net.ipv4.ip_local_port_range
Bind doesn't obey net.ipv4.ip_local_port_range
Product: Fedora
Classification: Fedora
Component: bind (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Adam Tkac
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-20 06:25 EST by Bojan Smojver
Modified: 2013-04-30 19:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-03 04:10:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bojan Smojver 2007-11-20 06:25:38 EST
Description of problem:
Outgoing ports are picked outside this range, causing trouble for firewalls that
are expecting only certain destination ports to be accepted for the traffic
coming back into the box.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run bind.
2. Query A records and watch bind use ports outside the range.
Actual results:
System set ports not obeyed.

Expected results:
System set port range should be obeyed.

Additional info:
As far as I can tell, this was not the case in bind in F7.
Comment 1 Adam Tkac 2007-11-20 09:05:42 EST
You're right. Code which creates sockets is changed in 9.5 . I recommend you use
query-source{,-v6} option before I create patch.
Comment 2 Adam Tkac 2007-11-20 09:15:09 EST
Or if you have firewall with iptables you will add rule like

iptables -A FORWARD -m state --state ESTABILISHED,RELATED -j ACCEPT

this rule should allow random incomming ports as response to named's query
Comment 3 Adam Tkac 2007-11-20 11:31:32 EST
Could you please test http://koji.fedoraproject.org/koji/taskinfo?taskID=250133
? All should work as expected.
Comment 4 Bojan Smojver 2007-11-20 16:08:03 EST
I used the query-source option from comment #1 to work around the issue. Thanks
for the hints!

I'll download and test new build now...
Comment 5 Bojan Smojver 2007-11-20 16:15:21 EST
Still the same. Picks random ports, not the one defined in
Comment 6 Bojan Smojver 2007-11-20 16:16:27 EST
Should have said: not the _ones_ defined.
Comment 7 Bojan Smojver 2007-11-21 01:50:23 EST
BTW, does avoid-v4-udp-ports take a range of ports as an argument? I tried
port:port and port-port, but got syntax errors there. Typing thousands of ports,
each is followed by ; seems rather unpractical...
Comment 8 Adam Tkac 2007-11-21 04:56:12 EST
grr, I created patch but forgot apply it :) Could you please test
http://koji.fedoraproject.org/koji/taskinfo?taskID=252611 ? Patch is really
applied now.

About avoid-v4-udp-ports - from manpage and ARM you have to specify list, not
range. Let me discuss this option with upstream. Specifying list is really
Comment 9 Bojan Smojver 2007-11-21 05:16:08 EST
Lookin' good!

Thanks for the prompt fix.

PS. Yeah, you're right about avoid-v4-udp-ports - it more or less useless as it is.
Comment 10 Adam Tkac 2007-11-21 06:54:50 EST
Thank you for feedback. I'm going to apply that patch in next build but upstream
doesn't like it because linux kernel doesn't pick port numbers randomly (= lover
security). Patch will be temporary solution before upstream extends
avoid-v4-udp-ports or query-source options. I expect in the end port numbers
will be controlled in named.conf
Comment 11 Adam Tkac 2007-12-03 02:51:19 EST
Hm, upstream doesn't want to do anything now. Would it be possible to use
query-source{,-v6} for you? I don't want keep discussed patch downstream
Comment 12 Bojan Smojver 2007-12-03 03:55:20 EST
As I understand it, it's the same as the patch in .2 anyway, so should be OK.
Hopefully, they'll have a range there (like for instance vsftpd does), so that
people can pick ports they want.
Comment 13 Adam Tkac 2007-12-03 04:10:11 EST
(In reply to comment #12)
> As I understand it, it's the same as the patch in .2 anyway, so should be OK.
> Hopefully, they'll have a range there (like for instance vsftpd does), so that
> people can pick ports they want.

Yes, I told them it.

Note You need to log in before you can comment on or make changes to this bug.