From owner-freebsd-questions@FreeBSD.ORG Sat Jan 31 05:46:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D419516A4CE for ; Sat, 31 Jan 2004 05:46:41 -0800 (PST) Received: from cheyenne.wixb.com (cheyenne.wixb.com [65.43.82.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B09E43D1D for ; Sat, 31 Jan 2004 05:46:40 -0800 (PST) (envelope-from jbronson@lonebandit.com) Received: from thinkpad.lonebandit.com (thinkpad.wixb.com [10.43.82.5]) (authenticated bits=0)i0VDkeSs006127; Sat, 31 Jan 2004 07:46:40 -0600 (CST) Message-Id: <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> Date: Sat, 31 Jan 2004 07:46:39 -0600 To: Matthew Seaman From: "J.D. Bronson" In-Reply-To: <20040131133924.GB48307@happy-idiot-talk.infracaninophile.c o.uk> References: <6.0.2.0.2.20040131072955.00b54ee8@cheyenne.wixb.com> <20040131133924.GB48307@happy-idiot-talk.infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Miltered: at cheyenne.wixb.com with ID 401BB1C0.000 by j-chkmail cc: freebsd-questions@freebsd.org Subject: Re: tcp blackhole and ident X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 13:46:41 -0000 At 07:39 AM 1/31/2004, Matthew Seaman wrote: >On Sat, Jan 31, 2004 at 07:32:36AM -0600, J.D. Bronson wrote: > > I have a question. I setup the following in sysctl.conf: > > > > net.inet.tcp.blackhole=2 > > net.inet.udp.blackhole=1 > > > > ..Well this works, but now I have a new issue. > > I run sendmail and as such, need to allow TCP 113 into this machine > > and yet get CONNECTION REFUSED. - I dont want to run IDENT, but > > need to still get the CONNECTION REFUSED... > >Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP >reject whenever it detects an incoming connection on port 113 as part >of your firewall configuration. Eg. something like: > > 01600 reset tcp from any to me dst-port 113 setup > > Cheers, > > Matthew Thanks...but I have quite a robust Cisco firewall in place ahead of the freebsd machines...so I dont -need- to run ipfw...Hmmm... Actually since the Cisco is dropping any packets already, I wonder if 'blackhole' is simply a stupid idea in the first place... -- J.D. Bronson - "LoneBandit" Aurora Health Care // Information Services // Milwaukee, WI USA Office: 414.978.8282 // Email: jd@aurora.org // Pager: 414.314.8282