Re: non-standard TCP tunings in EC2 images
On Wed, 20 Jul 2016, Lucas Nussbaum wrote:
net.ipv4.ip_local_port_range = 10240 65535
This one bit me: because AWS network ACLs are stateless, I had to add
inbound ALLOW rules for return packets from outbound traffic. I did so
with the official Wheezy images by specifying ports 32768-61000. When I
fired up my first instance from the official Jessie image, I had
mysterious network issues that I eventually tracked down to this change in
ip_local_port_range causing some return traffic to be blocked by the
network ACLs. I added the following to my user data cloud-config to fix:
write_files:
- content: |
# set local ephemeral port range to what previous versions had
net.ipv4.ip_local_port_range = 32768 61000
path: /etc/sysctl.d/99-localports.conf
I know that security groups, unlike network ACLs, ARE stateful and don't
need this kind of rule to allow return traffic. I actually use both in my
environment (defense in depth).
Reply to: