On Fri, Apr 23, 2004 at 09:45:13AM +0200, Hochstrasser Benedikt wrote:
> IMHO the firewall /is/ properly configured when it silently drops the
> auth packet. (They are evil, you know. <g>) Apart from that, a Windows
> system doesn't know about ident anyway.
Then it should be returning a RST. End of story. Silently dropping stuff
is a way to pretend that your network is broken. How fantastically
useful.
> As we cannot reach each and every client out there we must make sure
> exim doesn't use ident calls at all. May I suggest that rfc1413 queries
> are disabled by default? They usually don't carry useful information
> anyway. If an admin feels the urge to use ident calls, he/she should
> enable them explicitly.
You may or may not understand the purpose of ident, from the above statement,
it looks like you don't. Ident doesn't exist for the remote admin who does
the ident query, it exists for the admin of the machine who gives out the
ident. The idea is that I log stuff about the connection, and if I decide
that there has been abuse, I say to the admin of the machine giving out the
ident query: "one of your users (your server gave me this ident string: foo)
tried to attack blah blah blah", and the admin of the server that gave out
the ident string can decide what action to take against who. If you're not
running a multi-user system, there is no reason to run an identd, however,
if you are, it is quite useful in tracing who might have been responsible
for the misuse.
> (FWIW I have a dummy identd running here just to appease other nosey
> servers, but I'd prefer not having to use that at all)
How useful, why not just not listen on the port?
Not giving out RSTs for closed ports is almost always the wrong thing to
do. (It goes, in my mind, hand in hand with blocking ICMP ECHO-REQ "for
security reasons", or even better, blocking all ICMP, leading to weirdness
when the machine doesn't believe in ICMP TTL-EXCEEDED or ICMP MUST-FRAGMENT.
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
(Please use this address to reply)