From owner-cvs-all  Thu Nov  5 00:15:59 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA02598
          for cvs-all-outgoing; Thu, 5 Nov 1998 00:15:59 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA02579
          for <cvs-committers@FreeBSD.ORG>; Thu, 5 Nov 1998 00:15:56 -0800 (PST)
          (envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.1/8.8.5) with ESMTP id JAA11225;
	Thu, 5 Nov 1998 09:13:45 +0100 (CET)
To: Nate Williams <nate@mt.sri.com>
cc: Don Lewis <Don.Lewis@tsc.tdk.com>, cvs-committers@FreeBSD.ORG
Subject: Re: cvs commit: src/usr.sbin/inetd inetd.c 
In-reply-to: Your message of "Thu, 05 Nov 1998 00:56:10 MST."
             <199811050756.AAA17272@mt.sri.com> 
Date: Thu, 05 Nov 1998 09:13:45 +0100
Message-ID: <11223.910253625@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk


>> Well, it is (barely) measurably faster on the two busy mailservers I run.
>
>That makes no sense given Don't analysis.  Getting a reset is *MUCH*
>faster than making a full-fledged TCP connection, sending and receiving
>(bogus) data, and then shutting down the connection.

I think Don assumes that all mail servers run BSD + sendmail.  That
doesn't seem to be the case on the Internet I work on.  While I
agree with his analysis, reality says differently.  Don't forget
I said "barely measurable".  We're talking about two servers which
spam-filter email for more than 20% of the Danish internet users.

>Are you sure it's not your firewall setup that's causing it?  (I ask
>since I got my original firewall stuff from you, and most of the rules
>you had were 'deny' instead of 'reject' type rules.

There is no firewalling.

>> The other advantage is that it makes:
>> 	sysctl -w net.inet.tcp.log_in_vain=1
>> less noisy on same machines.
>
>????

Have you tried it on an mail server which doesn't answer port 113 ?
You get a (possibly 3) messages every time somebody tried to connect
to port 113.  With this dummy server in place, you don't get the 
noise, so you can see actual portscans and stuff like that.

Everybody who's concerned about security should run with
	 sysctl -w net.inet.tcp.log_in_vain=1
even if behind a firewall.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
"ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message