Re: Clever firewall rules

From: hvdkooij@vanderkooij.org
Date: 09/17/01


From: hvdkooij@vanderkooij.org
Date: Mon, 17 Sep 2001 07:51:19 +0200 (CEST)
To: focus-linux <focus-linux@lists.securityfocus.com>
Subject: Re: Clever firewall rules
Message-ID: <Pine.LNX.4.33.0109170746460.11258-100000@ultra1.hugo.vanderkooij.org>

On 16 Sep 2001, Scott Gifford wrote:

> On Fri, 14 Sep 2001, Welsh, Armand wrote:
>
> > the big argument I hear is that if you drop packets instead rejecting
> > them, then some systems will pause (timeout) on identd lookups. My
> > attitude is that I don't run identd services, and I think they should
> > not be tied to internet services anyways. On the inside it's nice, but
> > if people are using identd on the internet, too bad. They can timeout.
> > I would rather be in stealth mode, than to advertise to others that I am
> > not accepting the connection.
>
> I don't understand exactly what this is supposed to accomplish; you've
> already advertised your IP address by connecting to the service in
> general, and they're going to know you're not running ident
> eventually; it's just a matter of whether they (and probably you) wait
> 1 second or 30. What information does this hide?

Not much.

> There are legitimate reasons for using ident. From multiuser systems
> in particular, ident lets you block a single user instead of the
> entire server, or lets a sysadmin identify an abusive user from the
> system.

It is known that ident information gathering is something that might as
well be left out as the information can and commonly IS faked. Any
information source that external and can't be verified should not be
trusted at all.

Hence ident is in effect plain useless. But due to it's common use untill
now it is better to reject it then to drop it if you don't want it to pass
through.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij@vanderkooij.org		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.



Relevant Pages

  • Re: identd needed ?
    ... Are there real threats that ident helps control? ... in this day and age, ... cookie encoding username and connection information for the remote end to ... given the mass of non-unix OSes out there that don't know what identd is ...
    (comp.os.linux.security)
  • Re: identd needed ?
    ... Are there real threats that ident helps control? ... in this day and age, ... cookie encoding username and connection information for the remote end to ... given the mass of non-unix OSes out there that don't know what identd is ...
    (comp.os.linux.security)
  • Re: [fw-wiz] identd, revisited
    ... ident lookups - about 7 years ago i think;-) i've heared people screaming ... "What's wrong with it" is that the idea behind identd is so ... there still was hope that public key certificates would ... I used to wake up screaming, some nights, because I had this ...
    (Firewall-Wizards)
  • Re: identd server
    ... >> can indeed trust the ident information. ... the systems are usually self-owned and identd ... I already said that ident is only relevant for a multiuser system, ... And you can only trust the network part of the IP if the ...
    (comp.os.linux.security)