TCP time_wait and port exhaustion for servers

Ray Soucy rps at
Thu Dec 6 13:31:32 UTC 2012

It does require a fixed source address.  The box is also a router and
firewall, so it has many IP addresses available to it.

On Wed, Dec 5, 2012 at 5:24 PM, William Herrin <bill at> wrote:
> On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews <marka at> wrote:
>> In message <CAP-guGW6oXo=UfTfg+SDiFjB4=qxPShO+YfK6vxnLkCC58PvgQ at>,
>>  William Herrin writes:
>>> The thing is, Linux doesn't behave quite that way.
>>> If you do an anonymous connect(), that is you socket() and then
>>> connect() without a bind() in the middle, then the limit applies *per
>>> destination IP:port pair*. So, you should be able to do 30,000
>>> connections to port 80, another 30,000 connections to
>>> port 80, and so on.
>> The socket api is missing a bind + connect call which restricts the
>> source address when making the connect.  This is needed when you
>> are required to use a fixed source address.
> Hi Mark,
> There are ways around this problem in Linux. For example you can mark
> a packet with iptables based on the uid of the process which created
> it and then you can NAT the source address based on the mark. Little
> messy but the tools are there.
> Anyway, Ray didn't indicate that he needed a fixed source address
> other than the one the machine would ordinarily choose for itself.
> Regards,
> Bill Herrin
> --
> William D. Herrin ................ herrin at  bill at
> 3005 Crane Dr. ...................... Web: <>
> Falls Church, VA 22042-3004

Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network

More information about the NANOG mailing list