bind_random_port ignores OS ephemeral port range #63
Comments
|
It was to remediate CVE-2008-1447. |
nobu
added a commit
that referenced
this issue
Jan 20, 2025
Hopefully RFC-6056 is being applied. Fixes #63.
nobu
added a commit
that referenced
this issue
Jan 20, 2025
Hopefully RFC-6056 is being applied. Fixes #63.
nobu
added a commit
that referenced
this issue
Jan 21, 2025
On platforms where ephemeral port randomization is implemented, the same randomization is not needed in the ruby library layer. Fixes #63.
matzbot
pushed a commit
to ruby/ruby
that referenced
this issue
Jan 21, 2025
On platforms where ephemeral port randomization is implemented, the same randomization is not needed in the ruby library layer. Fixes ruby/resolv#63. ruby/resolv@45e1b563c0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue was first seen due to failed Puppet runs on a system with strict firewalling, as it uses this library. In
bind_random_port,port = random(1024..65535)assumes that the ephemeral port range is1024..65535. This is almost never the case. e.g. on a modern Linux Redhat-like system, the default range is(32768..60999)but of course can be modified by changing/proc/sys/net/ipv4/ip_local_port_range. This is not limited to being a firewall issue - modern services may bind to ports above 1024, which is especially problematic during eg a puppet run, where this random port selection may be holding open the required port during service configuration. Solution - instead of randomly choosing ports,port = 0is defined as specifying an unused ephemeral port on at least Linux, FreeBSD, SunOS and Windows -udpsock.bind(bind_host, 0)is sufficient. There should be absolutely no need in the first place to specify a random port, or to keep trying ports until an unused one is discovered, which also does not scale particularly well on systems with heavy network usage.The text was updated successfully, but these errors were encountered: