Revision df23ccfe
Added by Scott Ullrich about 18 years ago
cf/conf/config.xml | ||
---|---|---|
5 | 5 |
<lastchange></lastchange> |
6 | 6 |
<theme>nervecenter</theme> |
7 | 7 |
<sysctl> |
8 |
<item> |
|
9 |
<desc>Set the ephemeral port range to be lower.</desc> |
|
10 |
<tunable>net.inet.ip.portrange.first</tunable> |
|
11 |
<value>1024</value> |
|
12 |
</item> |
|
8 | 13 |
<item> |
9 | 14 |
<desc>Drop packets to closed TCP ports without returning a RST</desc> |
10 | 15 |
<tunable>net.inet.tcp.blackhole</tunable> |
conf.default/config.xml | ||
---|---|---|
5 | 5 |
<lastchange></lastchange> |
6 | 6 |
<theme>nervecenter</theme> |
7 | 7 |
<sysctl> |
8 |
<item> |
|
9 |
<desc>Set the ephemeral port range to be lower.</desc> |
|
10 |
<tunable>net.inet.ip.portrange.first</tunable> |
|
11 |
<value>1024</value> |
|
12 |
</item> |
|
8 | 13 |
<item> |
9 | 14 |
<desc>Drop packets to closed TCP ports without returning a RST</desc> |
10 | 15 |
<tunable>net.inet.tcp.blackhole</tunable> |
Also available in: Unified diff
Set the ephemeral port range starting port to 1024 instead of 49152.
On a busy firewall it is possible to run out of ephemeral ports and then the system will block new connections until a port is available.