You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What I am looking for is an ability to bind a socket to listen on any open port within a certain range and return that port as an answer for UDP associate request. Dante proxy has similar feature called upd.portrange, here are the docs to check what it's about.
I'm not sure if such a feature already exists or I just could not find its description (after a quick look through the code, it looks like it's bound on port 0 just to let the kernel to select an unused port from the ephemeral port range and then getsockname is subsequently used to determine which port was actually chosen). If so is true, would it be possible to add this feature to some milestone?
It would be really handy, because often for administrators there is a need to restrict access to as many port numbers as possible at the firewall level. For cases where inbound connections to the ephemeral ports is required, an entire range of ports must be opened. It's such a headache, because the ephemeral port range on machines on the internal network often do not coincide with each other since different operating systems may use different ranges (it really depends on the OS and the kernel version, but in many situations this RFC6056 is not really followed). That is why it can be time consuming to manually configure each machine's ephemeral port range so it's up to date with the open range on the firewall. As a result, administrators often end up allowing all incoming ports and denying access to specific ports when needed.
So it's desirable to change which port numbers are used as a response for UPD associate request for any of the following:
To use a larger range so that more simultaneous connections are possible
To shift the range to the higher numbered ports
To change the range to coincide with other systems for purposes of firewalling and automatic network address translation
To have many other useful features, such as changing iptables PREROUTING rules using --dport flag based on the predictable ports returned from 3proxy socks server or to have an ability to properly configure ports for IPVS load balancer in the k8s cluster, etc.
Thanks and let me know if it makes sense to you!
The text was updated successfully, but these errors were encountered:
Hey! @z3APA3A
What I am looking for is an ability to bind a socket to listen on any open port within a certain range and return that port as an answer for UDP associate request. Dante proxy has similar feature called
upd.portrange, here are the docs to check what it's about.I'm not sure if such a feature already exists or I just could not find its description (after a quick look through the code, it looks like it's bound on port 0 just to let the kernel to select an unused port from the ephemeral port range and then
getsocknameis subsequently used to determine which port was actually chosen). If so is true, would it be possible to add this feature to some milestone?It would be really handy, because often for administrators there is a need to restrict access to as many port numbers as possible at the firewall level. For cases where inbound connections to the ephemeral ports is required, an entire range of ports must be opened. It's such a headache, because the ephemeral port range on machines on the internal network often do not coincide with each other since different operating systems may use different ranges (it really depends on the OS and the kernel version, but in many situations this RFC6056 is not really followed). That is why it can be time consuming to manually configure each machine's ephemeral port range so it's up to date with the open range on the firewall. As a result, administrators often end up allowing all incoming ports and denying access to specific ports when needed.
So it's desirable to change which port numbers are used as a response for UPD associate request for any of the following:
--dportflag based on the predictable ports returned from 3proxy socks server or to have an ability to properly configure ports for IPVS load balancer in the k8s cluster, etc.Thanks and let me know if it makes sense to you!
The text was updated successfully, but these errors were encountered: