Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 03 Apr 2010 00:59:54 -0700
From:      perryh@pluto.rain.com
To:        m.seaman@infracaninophile.co.uk, freebsd-questions-local@be-well.ilk.org
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Sendmail Five Second Greeting Delay
Message-ID:  <4bb6f57a.wld7n7exwvUX7%2Ba9%perryh@pluto.rain.com>
In-Reply-To: <44iq89lo3v.fsf@be-well.ilk.org>
References:  <201004011751.27767.npapke@acm.org> <4BB58AC2.50009@infracaninophile.co.uk> <p2y2daa8b4e1004020533u16d3c5a5hc48eb7ec4ceea7b8@mail.gmail.com> <4BB62E5D.5030400@infracaninophile.co.uk> <44iq89lo3v.fsf@be-well.ilk.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote:
> Matthew Seaman <m.seaman@infracaninophile.co.uk> writes:
> > Ident queries like this will cause a delay if the other side
> > doesn't respond respond to the ident query ...
> I consider it polite for firewalls to actively refuse to open
> the connection (TCP reset) rather than just dropping the request,
> though.  There's really no downside to doing so.

Other than giving port-scanners an affirmative indication that
there is a device of some sort at the IP address involved.
Some firewalls even drop pings for exactly this reason.

If the request comes from an address to which I've recently*
initiated a connection -- so he already knows that my address
is currently alive -- I ought to either respond per protocol
or reset.  If it comes from who-knows-where, it may be safer
to drop it.

The ident protocol is useful for the purpose for which it was
designed:  to pass "whom to blame" info between servers which have
reason to trust one another's identity (based on, e.g., stable IP
addresses) and administration.  Granted the circumstances in which
these conditions are met are a lot less prevalent than they once
were.

* for some resonable definition of recently



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4bb6f57a.wld7n7exwvUX7%2Ba9%perryh>