On Thu, Aug 27, 2009 at 11:59 AM, Scott Ullrich<[email protected]> wrote: > On Thu, Aug 27, 2009 at 2:15 PM, David Rees<[email protected]> wrote: >> I've recently run into the issue described on ticket #1931 and on the >> forum thread below: >> >> http://cvstrac.pfsense.org/tktview?tn=1931 >> http://forum.pfsense.org/index.php/topic,16314.0.html >> >> Even though we only have about 200 port forwards, we have 6 local >> interfaces so we've quickly run into this limitation. >> >> So a couple questions before I go and tackle this issue: >> >> 1. Why the limitation of 1000? Is that more or less arbitrary to keep >> from too many local ports from being used by the inetd nc rules, or >> could it be increased some? > > Because of some of the issues you outlined in #2.
OK - I guess what I'm asking is this: I've just checked my particular pfSense box and aside from the nearly 1000 ports it's listening to from 19000+ for my NAT reflection rules, is there anything else keeping us from using a wider port range to allow even more NAT reflection rules to be used? I don't see many other ports in use on localhost except for ssh, dns, pptp and a handful of ports ranging from 8021+ (which I believe are used for the FTP helper). I think that it may be helpful to be able to override the default starting port range and number as well as the maximum number of ports to use for NAT reflection. Bonus points I guess for a patch which does this as well! ;-) >> 2. If I write a patch to limit the number of inetd entries below the >> above limit, will it be accepted upstream? We should be able to stop >> the inetd nc port multiplication issue so we will be able to reflect >> up to 1000 ports, but there will still be $num_interfaces * >> $num_portforwards NAT redirect rules generated. If the patch is >> likely to be accepted upstream, I'm more likely to spend time to write >> a 'proper' solution instead of just hacking it. :-) > > We will gladly accept changes for this. Thanks! Cool - I'll try to find some time over the next week to work on this. I assume that working from a recent 1.2.3 snapshot OK? Do you think it will apply to the 2.0 branch as well? I have no idea how much the code there has changed... -Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
