Outside your LAN there are people that happily use any port you open.
Therefore i want to restrict the client-port's, to 1000-1023.
I cannot see why this should increase security. Better filter by IP source (and destination), use tcp wrapper and good protected keys.
Usually linux local port range is 1024-4999 IIRC, you can set this up via /proc but I don't think that this is useful. This settings affect the whole system. I assume it would break many things if you set local port range below 1023, BTW.
If the application does not set a source port for the connection, the
kernel will provide the first available port. Non-root users
(CAP_NET_BIND) can only use ports starting with 1024.
The good old ssh-1.2.27 /usr/bin/ssh1 uses a port below 1024 by default if
the option "-P" has not been used on the commandline. The manpage of ssh
in the openssh implementation should be able to provide information about
an equally suited option for openssh.
As Steffen already said, using a local port range below 1024 doesn't
really suit security a lot. Actually, the only thing you can be sure about
is that something sitting on a low-port was root when it bound to that
socket, but not more, and only on unix-systems. You have to trust the root
user on the machine that you impose port-dependent filter rules to,
otherwise it doesn't make sense.
Thanks,
Roman.
--
- -
| Roman Drahtmüller