[unisog] 10 minute web browsing and out....

Glenn Forbes Fleming Larratt glratt at rice.edu
Fri Feb 6 19:12:57 GMT 2004

On Fri, 6 Feb 2004, Doug Nelson wrote:

> > Gary Flynn wrote:
> >
> > >
> > > I'm hearing reports of people whose web browsers
> > > quit working after about 10 minutes. After that
> > > time they get a "page cannot be displayed" error
> > > wherever they go. Its reported that everything
> > > else works when that happens...IM, email, etc.
> >
> > ...
> >
> > The folks that were having this problem tell me it
> > went away after they took out the 3127-3198 TCP
> > port blocks into their network. ;)
> Ah, that make sense.  There is a danger in blocking all traffic to any
> port number greater than 1023, in that you need to consider source ports
> as well as destination ports.  The source port number for almost all TCP
> and UDP traffic is based on a counter that starts at 1024 and works its
> way up, wrapping back to 1024 if it gets too large.  So by blocking
> 3127-3198, you're assuring your users of difficulty after their system
> generates about 2000 TCP and UDP sessions (or connections).  With web
> browsing, that doesn't take all that long to reach, since each image,
> frame, style sheet, etc., can potentially require a separate TCP
> connection.
> With the port range 3127-3198, a user would be blocked for approximately
> 70 consecutive attempts, but if he/she persisted, the sessions would begin
> working again.

	Are you sure that persistence would work?

	It would seem to me that it would depend on the internal
	algorithm for the selection of ephemeral ports. We ran into this
	problem with a Linux version several years ago, in which the new
	(a) began its ephemeral ports choices at 32768, and (b) would
	simply get "stuck" on a port that didn't work - we had a block
	on the high RPC ports which made Linux machines unable to
	surf, period.


Glenn Forbes Fleming Larratt          glratt at rice.edu

There are imaginary bugs to chase in heaven.

More information about the unisog mailing list