Re: Port 113 security

From: Philipp Schulte (pschulte@uni-duisburg.de)
Date: 03/07/03

  • Next message: Ali-Reza Anghaie: "Re: Reviewed the rhn code .. RE: Red Hat Network updates"
    Date: Fri, 7 Mar 2003 14:09:42 +0100
    From: Philipp Schulte <pschulte@uni-duisburg.de>
    To: Chris Santerre <csanterre@MerchantsOverseas.com>
    
    

    Chris Santerre wrote:

    > Currently I block port 113 (ident) on the firewall. I block everything and
    > pick and choose what to let in. Never got around to letting this in :)
    > Anyway, I have about 6-7 in.identd processes running all the time from
    > failed ident attempts. Nothing big really. System is working great. Logs get
    > filled a little much with DENY messages.

    DENYing identd ist about the worst thing one can DENY.

    Suppose you want to poll some mail from a POP3-server and this server
    wants to contact your identd (yes, that does happen). You don't have
    one or you REJECT the connection? Everything's fine. You DENY the
    connection? The POP3-server assumes the packet got lost and sends it
    again, waiting for timeouts until finally it decides to let you poll
    the mail anyway.
    This is just one example why DENYing connections can be bad. Just send
    a RST.

    Phil


  • Next message: Ali-Reza Anghaie: "Re: Reviewed the rhn code .. RE: Red Hat Network updates"

    Relevant Pages