[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: non-standard TCP tunings in EC2 images

On Wed, 20 Jul 2016, Lucas Nussbaum wrote:
   net.ipv4.ip_local_port_range = 10240 65535

This one bit me: because AWS network ACLs are stateless, I had to add inbound ALLOW rules for return packets from outbound traffic. I did so with the official Wheezy images by specifying ports 32768-61000. When I fired up my first instance from the official Jessie image, I had mysterious network issues that I eventually tracked down to this change in ip_local_port_range causing some return traffic to be blocked by the network ACLs. I added the following to my user data cloud-config to fix:
-   content: |
        # set local ephemeral port range to what previous versions had
        net.ipv4.ip_local_port_range = 32768 61000
    path: /etc/sysctl.d/99-localports.conf

I know that security groups, unlike network ACLs, ARE stateful and don't need this kind of rule to allow return traffic. I actually use both in my environment (defense in depth).

Reply to: