RE: [exim] RFC 1413 default on debian

Top Page
This message is part of the following thread:
M-\the complete thread tree sorted by date
M.MM+\David Brodbeck at <-
MM.MMMBruce Richardson at ->
Delete this message
Reply to this message
Author: Adam D. Barratt
Date:  
To: exim-users
Subject: RE: [exim] RFC 1413 default on debian
On Wed, 2005-03-16 at 11:58 -0500, David Brodbeck wrote:
[...]
> This is 2005. People use packet filters. That's life. Even setting your
> filter to reject can get you in trouble. If you configure a Linux ipchains
> filter to reject, it sends an ICMP Port Unreachable packet instead of a
> TCP/IP RST packet. Some versions of SunOS interpret this as a *host*
> unreachable situation and just drop all connections to that host.

I'd hope anyone using Linux for packet-filtering isn't using
ipchains. :-) (Given that it was depracated by iptables starting with
the 2.4 kernel series). Assuming iptables, doing it correctly is
trivial:

iptables -A FORWARD -p tcp --dport ident -j REJECT --reject-with
tcp-reset

Works For Us[tm], without any ident timeout issues.

Cheers,

Adam



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Bayesian filtering ideaRe: [exim] Exim server behind NAT router (and HELO)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)