Set the ephemeral port range starting port to 1024 instead of 49152. On a busy firewall it is possible to run out of ephemeral ports and then the system will block new connections until a port is available.

author: Scott Ullrich <sullrich@pfsense.org> 2007-07-05 16:13:38 +0000
committer: Scott Ullrich <sullrich@pfsense.org> 2007-07-05 16:13:38 +0000
commit: df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37 (patch)
tree: 610ec8e02de4badc2ea8e3b2255c1d407ef97df8 /conf.default
parent: 343d3464a8a75260a1ddb5b335c15de7e1fac262 (diff)
download: pfsense-df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37.zip
pfsense-df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml
index 0fe5095..b94e203 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -6,6 +6,11 @@
 	<theme>nervecenter</theme>
 	<sysctl>
 		<item>
+			<desc>Set the ephemeral port range to be lower.</desc>
+			<tunable>net.inet.ip.portrange.first</tunable>
+			<value>1024</value>
+		</item>
+		<item>
 			<desc>Drop packets to closed TCP ports without returning a RST</desc>
 			<tunable>net.inet.tcp.blackhole</tunable>
 			<value>2</value>
author	Scott Ullrich <sullrich@pfsense.org>	2007-07-05 16:13:38 +0000
committer	Scott Ullrich <sullrich@pfsense.org>	2007-07-05 16:13:38 +0000
commit	df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37 (patch)
tree	610ec8e02de4badc2ea8e3b2255c1d407ef97df8 /conf.default
parent	343d3464a8a75260a1ddb5b335c15de7e1fac262 (diff)
download	pfsense-df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37.zip pfsense-df23ccfe824eb2d6ea579d4ecd0e56483a5f3c37.tar.gz