Bruno Wolff III wrote:
On Thu, Oct 25, 2007 at 11:54:28 -0600,
"Ashley M. Kirchner" <ashley@xxxxxxxxxx> wrote:
To drop or not to drop, that is the question. If there's a server
out there sending spam e-mail, and I use iptables to block it, is it
best to simply drop the packet, or should I do a '--reject-with
icmp-host-unreachable' (or 'icmp-port-unreachable') or just a 'tcp-reset'?
Dropping packets from the ident port can potentially cause problems. Sometimes
servers will check back there to get a user id (this goes back to when people
mostly shared computers, it is pretty pointless today) and if you drop packets
things may stall until the connection times out rather than giving up
immediately after being told ident isn't available.
Anyone who thinks identd provides any security at all wrt computers they
don't control is ignorant or stupid.
It's trivial to find (or even, at a pinch write/modify one) a fake
identd that will say anything one chooses; anyone implementing security
assuming otherwise is trusting the untrustworthy.
Besides that, DOS boxes don't normally have one.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
