iptables: drop or reject?
John Summerfield
debian at herakles.homelinux.org
Sun Oct 28 08:27:01 UTC 2007
Bruno Wolff III wrote:
> On Thu, Oct 25, 2007 at 11:54:28 -0600,
> "Ashley M. Kirchner" <ashley at pcraft.com> wrote:
>> To drop or not to drop, that is the question. If there's a server
>> out there sending spam e-mail, and I use iptables to block it, is it
>> best to simply drop the packet, or should I do a '--reject-with
>> icmp-host-unreachable' (or 'icmp-port-unreachable') or just a 'tcp-reset'?
>
> Dropping packets from the ident port can potentially cause problems. Sometimes
> servers will check back there to get a user id (this goes back to when people
> mostly shared computers, it is pretty pointless today) and if you drop packets
> things may stall until the connection times out rather than giving up
> immediately after being told ident isn't available.
>
Anyone who thinks identd provides any security at all wrt computers they
don't control is ignorant or stupid.
It's trivial to find (or even, at a pinch write/modify one) a fake
identd that will say anything one chooses; anyone implementing security
assuming otherwise is trusting the untrustworthy.
Besides that, DOS boxes don't normally have one.
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
More information about the fedora-list
mailing list