[grsec] grsec's tcp source port randomization

Brant Williams brant at tnarb.net
Thu Apr 26 12:13:49 EDT 2007


Ah, I see.  Thanks for the reply, Brad.

I also noticed that PIDs weren't being randomized, but it looks like that 
makes sense as well.



Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.



On Wed, 25 Apr 2007, Brad Spengler wrote:

> On Sat, Apr 21, 2007 at 08:35:12PM -0500, Brant Williams wrote:
> > 
> > Hello,
> > 
> > I just happened to notice that there no longer seems to be a grsec kernel 
> > option to randomize TCP source ports.  Just wondering when/why this was 
> > removed.  Also... is there a grsec changelog somewhere?  I don't seen one 
> > in the kernel source tree, or online.
> 
> The 2.6 kernel (since 2.6.11) by default supports pseudo-random TCP 
> source ports.  The algorithm used in 2.4 caused the problem described at:
> http://forums.grsecurity.net/viewtopic.php?p=6076
> which couldn't be resolved without greatly increasing the complexity of 
> the option.  The forums contain more in depth information on these 
> topics.
> 
> I've updated the CVS page to reflect the status of the CVS repositories.  
> Simply, it doesn't make much sense to keep an updated repository when 
> the 2.6 kernel changes so drastically so often.  Any changes made to the 
> non-PaX portion of grsecurity are listed at release time.  Changes in 
> PaX can be seen by interdiffing the various test patches available.  I'd 
> discourage the use of applying any sort of interdiff as a backport, 
> especially for the 2.6 series of kernels since PaX has undergone large 
> changes through each version to adapt to the newer kernels.  Exceptions 
> of course are for when either the PaX team or myself offer small patches 
> that can be backported.
> 
> CVS is still maintained for gradm.
> 
> -Brad
> 


More information about the grsecurity mailing list