RE: [Exim] Should there be any reason for this?

Top Page
Delete this message
Reply to this message
Author: Hochstrasser Benedikt
Date:  
To: exim-users
Subject: RE: [Exim] Should there be any reason for this?
Matthew Byng-Maddick wrote:

> Hochstrasser Benedikt wrote:
>> IMHO the firewall /is/ properly configured when it silently drops the
>> auth packet. (They are evil, you know. <g>) Apart from that, a

Windows
>> system doesn't know about ident anyway.


> Then it should be returning a RST. End of story. Silently dropping

stuff
> is a way to pretend that your network is broken. How fantastically
> useful.


The main reason for this is to slow down port scanning. Nearly every
firewall
setup suggests to use "stealth mode" (aka drop packet).

> You may or may not understand the purpose of ident, from the above

statement,
> it looks like you don't. (...) The idea is that I log stuff about the
> connection (...) If you're not running a multi-user system, there is

no
> reason to run an identd


Ident has been abused many times to harvest [potential] email addresses.
If I
wanted to trace my users's connections then I have a firewall or proxy
log. Plus,
Windows doesn't offer it and most smtp gateways are to be considered
"single user".

>> (FWIW I have a dummy identd running here just to appease other nosey
>> servers, but I'd prefer not having to use that at all)


> How useful, why not just not listen on the port?


We connect to sites that require ident queries to be answered. (They
didn't require
the answers to be accurate, though <g>)

> Not giving out RSTs for closed ports is almost always the wrong thing

to do.
> (It goes, in my mind, hand in hand with blocking ICMP ECHO-REQ "for
> security reasons", or even better, blocking all ICMP, leading to

weirdness
> when the machine doesn't believe in ICMP TTL-EXCEEDED or ICMP

MUST-FRAGMENT.

I agree, most ICMP stuff is legitimate, blocking it makes no sense. OTOH
there have
been enough ICMP exploits to justify the blocking of at least some of
them.

--
Ben