Date: Sat, 31 Jan 2004 07:46:39 -0600 From: "J.D. Bronson" <jbronson@lonebandit.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: tcp blackhole and ident Message-ID: <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> In-Reply-To: <20040131133924.GB48307@happy-idiot-talk.infracaninophile.c o.uk> References: <6.0.2.0.2.20040131072955.00b54ee8@cheyenne.wixb.com> <20040131133924.GB48307@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:39 AM 1/31/2004, Matthew Seaman wrote: >On Sat, Jan 31, 2004 at 07:32:36AM -0600, J.D. Bronson wrote: > > I have a question. I setup the following in sysctl.conf: > > > > net.inet.tcp.blackhole=2 > > net.inet.udp.blackhole=1 > > > > ..Well this works, but now I have a new issue. > > I run sendmail and as such, need to allow TCP 113 into this machine > > and yet get CONNECTION REFUSED. - I dont want to run IDENT, but > > need to still get the CONNECTION REFUSED... > >Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP >reject whenever it detects an incoming connection on port 113 as part >of your firewall configuration. Eg. something like: > > 01600 reset tcp from any to me dst-port 113 setup > > Cheers, > > Matthew Thanks...but I have quite a robust Cisco firewall in place ahead of the freebsd machines...so I dont -need- to run ipfw...Hmmm... Actually since the Cisco is dropping any packets already, I wonder if 'blackhole' is simply a stupid idea in the first place... -- J.D. Bronson - "LoneBandit" Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Email: jd@aurora.org // Pager: 414.314.8282
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.2.0.2.20040131074525.00b3fdd8>