[grsec] grsec's tcp source port randomization

Brad Spengler spender at grsecurity.net
Wed Apr 25 18:03:46 EDT 2007

On Sat, Apr 21, 2007 at 08:35:12PM -0500, Brant Williams wrote:
> Hello,
> I just happened to notice that there no longer seems to be a grsec kernel 
> option to randomize TCP source ports.  Just wondering when/why this was 
> removed.  Also... is there a grsec changelog somewhere?  I don't seen one 
> in the kernel source tree, or online.

The 2.6 kernel (since 2.6.11) by default supports pseudo-random TCP 
source ports.  The algorithm used in 2.4 caused the problem described at:
which couldn't be resolved without greatly increasing the complexity of 
the option.  The forums contain more in depth information on these 

I've updated the CVS page to reflect the status of the CVS repositories.  
Simply, it doesn't make much sense to keep an updated repository when 
the 2.6 kernel changes so drastically so often.  Any changes made to the 
non-PaX portion of grsecurity are listed at release time.  Changes in 
PaX can be seen by interdiffing the various test patches available.  I'd 
discourage the use of applying any sort of interdiff as a backport, 
especially for the 2.6 series of kernels since PaX has undergone large 
changes through each version to adapt to the newer kernels.  Exceptions 
of course are for when either the PaX team or myself offer small patches 
that can be backported.

CVS is still maintained for gradm.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20070425/37a4a59c/attachment.pgp 

More information about the grsecurity mailing list