Common TCP and UDP Parameters
There are parameters common to both the TCP and UDP drivers. These parameters implement concepts that are similar and independent of the protocol.
The Solaris OE and other UNIX variants restrict access to network socket port numbers less than 1024. Ports 11023 are considered reserved and require superuser privilege to acquire them. The range of these privilege ports can be increased. Specific ports can also be marked as privileged.
The Solaris OE also provides a mechanism to define the range of dynamically assigned ports. These ports are commonly referred to as ephemeral because they are typically short-lived and primarily exist for outbound network connections. The upper and lower bound of this port range can be adjusted.
Adding Privileged Ports
The Solaris 2.5.1, 2.6, 7, 8, and 9 OE releases provide a method to extend the privileged port range beyond 1023 for both the TCP and UDP drivers. Additionally, the Solaris 2.6, 7, 8, and 9 OE releases have a mechanism to add additional, individual privileged ports.
Some services operate with superuser privilege outside the privileged port range. The NFS server process (nfsd) attaches to port 2049. Unfortunately, an attacker without superuser privilege can start a server process on a system that normally does not operate as an NFS server. This nonprivileged process can offer a false NFS service to unsuspecting clients. There are other services and applications that operate outside the standard privileged port range as well.
The privilege port range is extended using the tcp_smallest_nonpriv_port parameter in the TCP and UDP drivers. It is used to specify the smallest nonprivileged port number. Use the following ndd command to extend the privileged port range to 4096 for both the TCP and UDP drivers:
# ndd -set /dev/tcp tcp_smallest_nonpriv_port 4097 # ndd -set /dev/udp udp_smallest_nonpriv_port 4097
Add this command to the system init scripts to enable this behavior at system start.
It is also possible to specify additional privileged ports. The current list of privileged ports can be viewed using these ndd commands:
# ndd /dev/tcp tcp_extra_priv_ports 2049 4045 # ndd /dev/udp udp_extra_priv_ports 2049 4045
This output shows that the NFS server port (2049) and the NFS lock manager port (4045) are already protected as privileged ports. These two ports are the default additional privileged ports for the Solaris 2.6, 7, 8, and 9 OE releases.
Adding privileged TCP or UDP ports involves similar but separate parameter names. Add TCP privileged ports using the tcp_extra_priv_ports_add parameter for the TCP driver. Add UDP privileged ports using the udp_extra_priv_ports_add parameter for the UDP driver. For example, to add TCP and UDP port numbers to the privileged list use this ndd command:
# ndd -set /dev/tcp tcp_extra_priv_ports_add 7007 # ndd -set /dev/udp udp_extra_priv_ports_add 7009
TCP port 7007 and UDP port 7009 are now part of the list of additional privileged ports.
It is also possible to delete defined additional privileged ports. Use the tcp_extra_priv_ports_del or udp_extra_priv_ports_del parameters to remove previously configured ports for the appropriate driver.
Extending the privileged port range can break applications. Prior to configuring additional privileged ports, determine which server processes run with superuser privilege outside of the privileged port range. Remember, that some services can run as normal user processes. Extending the range or including a port inappropriately will prevent the server from acquiring the network port needed to operate. Whenever possible, add specific ports to the privileged port list instead of changing the range of privileged ports.
Changing the Ephemeral Port Range
The Solaris 2.5.1, 2.6, 7, 8, and 9 OE releases provide a method to change the ephemeral port range for both the TCP and UDP drivers. The upper and lower range can be altered.
The following ndd commands show the range values for the TCP and UDP drivers:
# ndd /dev/tcp tcp_smallest_anon_port 32768 # ndd /dev/tcp tcp_largest_anon_port 65535 # ndd /dev/udp udp_smallest_anon_port 32768 # ndd /dev/udp udp_largest_anon_port 65535
Alter the ephemeral port ranges by specifying the smallest and largest port number for both the TCP and the UDP drivers.
Adjusting these values can be useful, particularly in firewall environments. Define a smaller range to simplify firewall rules for specific applications. Take care when defining a small range, because the ability to establish outbound network connections might be limited.