Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'no need to do this' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
no need to do this
Authored by: mzs on Mar 13, '06 06:34:45PM

There have been some good responses as to why this hint is not a good idea. I think that what the original submitter of the hint was worried about was a scenario like this:

Say he wanted to run sshd (remote logins) or have other machines be able to talk to his X server (X11.app). sshd uses tcp port 22 and X uses tcp port 6000 (for DISPLAY=:0). Now he does not have these running all of the time but he only wants these ports open when he runs those apps. He thinks that there is something to gain by doing this. Probably he is worried that some other application will run and uses port 22 or 6000. Since he has those ports open in his firewall, then some adversary will be able to connect to that other program and possibly break into his machine. Here is why that will no happen:

Run this command in the terminal on your mac:

/usr/sbin/sysctl -a | fgrep net.inet.ip.portrange

net.inet.ip.portrange.first: 49152
net.inet.ip.portrange.last: 65535
net.inet.ip.portrange.hifirst: 49152
net.inet.ip.portrange.hilast: 65535
net.inet.ip.portrange.lowfirst: 1023
net.inet.ip.portrange.lowlast: 600

(Older systems may have first: 1024 and last: 5000)

When a program selects a port to use it can do that through a call to connect() or bind(). It can specify the port number it wishes to use. Alternatively if 0 is used for the port number, the system chooses a free ephemeral port on your behalf. These ephemeral ports are from first to last (or hifirst to hilast depending on the IP_PORTRANGE option but that is getting into too much detail). In any case in a default config any port that is automatically chosen will be in the range 49152 to 65535. Notice how ports 22 and 6000 are not in that range. Programs that deliberately choose certain port numbers choose ones that are not in the ranges 1024-5000 or 49152 -65535 for the reason of this convention.

So you will never have the situation occur that some application got an ephemeral port that happened to be one that you opened in the firewall. Any reasonable application that requires ports to be opened in a firewall for it to work correctly will use ports that are not in the ranges of ports used for ephemeral ports.

I hope that makes sense, it is not so hard to understand as I seem to have written :( In any case just trust me and the other respondents that wrote comments saying to use this hint serves no good purpose.



[ Reply to This | # ]