Re: Clever firewall rules

From: Scott Gifford (
Date: 09/16/01

To: focus-linux <>
Subject: Re: Clever firewall rules
From: Scott Gifford <>
Date: 16 Sep 2001 05:00:20 -0400
Message-ID: <>

On Fri, 14 Sep 2001, Welsh, Armand wrote:

> the big argument I hear is that if you drop packets instead rejecting
> them, then some systems will pause (timeout) on identd lookups. My
> attitude is that I don't run identd services, and I think they should
> not be tied to internet services anyways. On the inside it's nice, but
> if people are using identd on the internet, too bad. They can timeout.
> I would rather be in stealth mode, than to advertise to others that I am
> not accepting the connection.

I don't understand exactly what this is supposed to accomplish; you've
already advertised your IP address by connecting to the service in
general, and they're going to know you're not running ident
eventually; it's just a matter of whether they (and probably you) wait
1 second or 30. What information does this hide?

There are legitimate reasons for using ident. From multiuser systems
in particular, ident lets you block a single user instead of the
entire server, or lets a sysadmin identify an abusive user from the

> Regarding ICMP, I permit ICMP echo-request, and echo-reply. All other
> ICMP packets I reject (excetp for some icmp unreachable packets) so that
> I don't have to timeout on bad routes.

You may have trouble with Path MTU Discovery if you disallow
Must-Fragment, and you might get poorer diagnostics in the event of a
routing loop without Time-Exceeded. The others are all probably
worthy of ignoring, though.


Relevant Pages