著者: Hochstrasser Benedikt 日付: To: exim-users 題目: RE: [Exim] Should there be any reason for this?
Matthew Byng-Maddick wrote:
> Hochstrasser Benedikt wrote:
>> IMHO the firewall /is/ properly configured when it silently drops the
>> auth packet. (They are evil, you know. <g>) Apart from that, a Windows >> system doesn't know about ident anyway. > Then it should be returning a RST. End of story. Silently dropping stuff > is a way to pretend that your network is broken. How fantastically
> useful.
The main reason for this is to slow down port scanning. Nearly every
firewall
setup suggests to use "stealth mode" (aka drop packet).
> You may or may not understand the purpose of ident, from the above statement, > it looks like you don't. (...) The idea is that I log stuff about the
> connection (...) If you're not running a multi-user system, there is no > reason to run an identd
Ident has been abused many times to harvest [potential] email addresses.
If I
wanted to trace my users's connections then I have a firewall or proxy
log. Plus,
Windows doesn't offer it and most smtp gateways are to be considered
"single user".
>> (FWIW I have a dummy identd running here just to appease other nosey
>> servers, but I'd prefer not having to use that at all) > How useful, why not just not listen on the port?
We connect to sites that require ident queries to be answered. (They
didn't require
the answers to be accurate, though <g>)
> Not giving out RSTs for closed ports is almost always the wrong thing to do. > (It goes, in my mind, hand in hand with blocking ICMP ECHO-REQ "for
> security reasons", or even better, blocking all ICMP, leading to weirdness > when the machine doesn't believe in ICMP TTL-EXCEEDED or ICMP MUST-FRAGMENT.
I agree, most ICMP stuff is legitimate, blocking it makes no sense. OTOH
there have
been enough ICMP exploits to justify the blocking of at least some of
them.