summaryrefslogtreecommitdiffstats
path: root/conf.default
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2007-07-05 16:13:38 +0000
committerScott Ullrich <sullrich@pfsense.org>2007-07-05 16:13:38 +0000
commitdf23ccfe824eb2d6ea579d4ecd0e56483a5f3c37 (patch)
tree610ec8e02de4badc2ea8e3b2255c1d407ef97df8 /conf.default
parent343d3464a8a75260a1ddb5b335c15de7e1fac262 (diff)
downloadpfsense-df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37.zip
pfsense-df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37.tar.gz
Set the ephemeral port range starting port to 1024 instead of 49152. On a busy firewall it is possible to run out of ephemeral ports and then the system will block new connections until a port is available.
Diffstat (limited to 'conf.default')
-rw-r--r--conf.default/config.xml5
1 files changed, 5 insertions, 0 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml
index 0fe5095..b94e203 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -6,6 +6,11 @@
<theme>nervecenter</theme>
<sysctl>
<item>
+ <desc>Set the ephemeral port range to be lower.</desc>
+ <tunable>net.inet.ip.portrange.first</tunable>
+ <value>1024</value>
+ </item>
+ <item>
<desc>Drop packets to closed TCP ports without returning a RST</desc>
<tunable>net.inet.tcp.blackhole</tunable>
<value>2</value>
OpenPOWER on IntegriCloud