Re: Port 113 security
From: Philipp Schulte (email@example.com)
Date: Fri, 7 Mar 2003 14:09:42 +0100 From: Philipp Schulte <firstname.lastname@example.org> To: Chris Santerre <csanterre@MerchantsOverseas.com>
Chris Santerre wrote:
> Currently I block port 113 (ident) on the firewall. I block everything and
> pick and choose what to let in. Never got around to letting this in :)
> Anyway, I have about 6-7 in.identd processes running all the time from
> failed ident attempts. Nothing big really. System is working great. Logs get
> filled a little much with DENY messages.
DENYing identd ist about the worst thing one can DENY.
Suppose you want to poll some mail from a POP3-server and this server
wants to contact your identd (yes, that does happen). You don't have
one or you REJECT the connection? Everything's fine. You DENY the
connection? The POP3-server assumes the packet got lost and sends it
again, waiting for timeouts until finally it decides to let you poll
the mail anyway.
This is just one example why DENYing connections can be bad. Just send