Wrong outgoing-port-permit port range handling?

Beastie · August 3, 2008, 6:31am

Hello.

My system is FreeBSD 7.0-RELEASE-p3 and I'm runing Unbound 1.0.1 +
libevent-1.3e installed from ports.
System firewall is configured to use dynamic firewall rules.

Wouter · August 4, 2008, 7:45am

Hi Beastie,

The default unbound port range is 1024 - 65535 with exceptions for IANA
allocated ports and some ephemeral port ranges. You thought your range
was the only range, but instead the permit and avoid lines are parsed in
order, adding the permitted ports and subtracting the avoided ports from
the set of ports allowed from use.

Your outgoing-port-permit: 32768-65000 does not change much about it
(well it removes the default IANA allocation exceptions in that range).

If you want to stop unbound from using port numbers below 32768 use
outgoing-port-avoid: 0-32767
and above 65000 with
outgoing-port-avoid: 65001-65535

The two avoid lines make unbound do what you want it to (only take ports
from 32768 to 65000)

Best regards,
~ Wouter

Beastie wrote:

Hello.

My system is FreeBSD 7.0-RELEASE-p3 and I'm runing Unbound 1.0.1 +
libevent-1.3e installed from ports.
System firewall is configured to use dynamic firewall rules.

---

IPFW configuration:
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
add check-state
add deny icmp from any to any frag
add allow icmp from any to me icmptypes 0,3,11
add allow icmp from me to any out keep-state
add allow tcp from me to any out keep-state
add allow udp from me to any out keep-state
add deny tcp from any to any
add deny udp from any to any
add deny ip from any to any

---

unbound.conf
server:
       verbosity: 0
       #statistics-interval: 3600
       num-threads: 4
       interface: 0.0.0.0
       port: 53
       outgoing-range: 256
       outgoing-port-permit: 32768-65000
       msg-cache-size: 32m
       msg-cache-slabs: 4
       num-queries-per-thread: 1024
       rrset-cache-size: 64m
       rrset-cache-slabs: 4
       cache-max-ttl: 86400
       infra-host-ttl: 900
       infra-lame-ttl: 900
       infra-cache-slabs: 4
       infra-cache-numhosts: 10000
       infra-cache-lame-size: 10k
       do-ip4: yes
       do-ip6: no
       do-udp: yes
       do-tcp: yes
       do-daemonize: yes

       access-control: 0.0.0.0/0 refuse
       access-control: 10.1.1.0/24 allow
       access-control: 192.168.15.0/24 allow
       access-control: 127.0.0.0/8 allow
       access-control: ::0/0 refuse
       access-control: ::1 allow
       access-control: ::ffff:127.0.0.1 allow

       chroot: "/usr/local/etc/unbound"
       username: "unbound"
       directory: "/usr/local/etc/unbound"
       logfile: "/usr/local/etc/unbound/unbound.log"
       #logfile: ""
       use-syslog: no
       pidfile: "/usr/local/etc/unbound/unbound.pid"
       root-hints: "/usr/local/etc/unbound/named.cache"

       identity: "a"
       version: "1"
       hide-identity: yes
       hide-version: yes
       harden-glue: yes
       do-not-query-address: 127.0.0.1/8
       do-not-query-address: ::1
       do-not-query-localhost: yes
       module-config: "iterator"

---

From the ipfw -d show output I can see that Unbound is actualy using

source UDP port nubers that is outside from the defined
outgoing-port-permit range:

01300 1 40 (4s) STATE udp 11.112.44.xxx 19405 <->

195.59.44.134 53

01300 1 75 (4s) STATE udp 11.112.44.xxx 12506 <-> 63.209.3.131 53
01300 1 326 (3s) STATE udp 11.112.44.xxx 36161 <-> 66.218.71.63 53
01300 1 40 (4s) STATE udp 11.112.44.xxx 33033 <-> 124.211.40.3 53
01300 1 75 (4s) STATE udp 11.112.44.xxx 27274 <-> 63.209.3.132 53
01300 1 40 (4s) STATE udp 11.112.44.xxx 24709 <-> 63.209.3.132 53
01300 1 40 (4s) STATE udp 11.112.44.xxx 39301 <-> 63.209.3.131 53
01300 1 92 (4s) STATE udp 11.112.44.xxx 63155 <->

195.59.44.134 53

01300 1 75 (4s) STATE udp 11.112.44.xxx 29005 <->

81.52.250.132 53

01300 1 545 (3s) STATE udp 11.112.44.xxx 65480 <-> 192.26.92.30 53
01300 1 335 (3s) STATE udp 11.112.44.xxx 42386 <->

192.52.178.30 53

01300 1 328 (3s) STATE udp 11.112.44.xxx 32650 <-> 192.35.51.30 53
01300 1 333 (3s) STATE udp 11.112.44.xxx 15798 <-> 192.33.14.30 53
01300 1 77 (4s) STATE udp 11.112.44.xxx 60832 <-> 124.211.40.3 53
01300 1 40 (4s) STATE udp 11.112.44.xxx 21815 <->

195.59.44.134 53

01300 1 75 (4s) STATE udp 11.112.44.xxx 23089 <->

195.59.44.134 53

Beastie · August 4, 2008, 9:17am

Thanks for you clear answer!

Looks like I'm missed something while reading man unbound.conf, and
get into misunderstanding about all this ranges

Feature request?
May be it would be valuable to implement in the future releases of
Unbound an new configuration option like outgoing-port-range: to be
able clearly direct allowed ports range? It is not so important but
may be valuable... Or append you explanation as a comment to the
unbound.conf man page...

Thanks!

Wouter · August 4, 2008, 10:21am

Hi Beastie,

Beastie wrote:

Thanks for you clear answer!

Looks like I'm missed something while reading man unbound.conf, and
get into misunderstanding about all this ranges

Feature request?
May be it would be valuable to implement in the future releases of
Unbound an new configuration option like outgoing-port-range: to be
able clearly direct allowed ports range? It is not so important but
may be valuable... Or append you explanation as a comment to the
unbound.conf man page...

Glad to help. I'll see if I can explain in the unbound.conf man page.

Best regards,
~ Wouter