From owner-freebsd-security  Wed Feb 27  3:58:45 2002
Delivered-To: freebsd-security@freebsd.org
Received: from heresy.dreamflow.nl (dreamflow.nl [62.58.36.22])
	by hub.freebsd.org (Postfix) with SMTP id BB3D337B400
	for <security@freebsd.org>; Wed, 27 Feb 2002 03:58:38 -0800 (PST)
Received: (qmail 80260 invoked by uid 1000); 27 Feb 2002 11:58:36 -0000
Date: Wed, 27 Feb 2002 12:58:36 +0100
From: Bart Matthaei <bart@dreamflow.nl>
To: Baldur Gislason <baldur@foo.is>
Cc: security@freebsd.org
Subject: Re: best firewall option for FreeBSD
Message-ID: <20020227125836.O62131@heresy.dreamflow.nl>
References: <3C7CB173.5F5A9837@hict.nl> <20020227113456.L62131@heresy.dreamflow.nl> <02022711522201.07860@germanium>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="STPqjqpCrtky8aYs"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <02022711522201.07860@germanium>; from baldur@foo.is on Wed, Feb 27, 2002 at 11:52:22AM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--STPqjqpCrtky8aYs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Feb 27, 2002 at 11:52:22AM +0000, Baldur Gislason wrote:
> It's never a good idea to silently deny incoming connections on port 113 =
(RFC1413 ident)
> as remote daemons you connect to often try establishing a connection to y=
our host on that
> port and you won't be served untill they've timed out on the ident connec=
tion.

These were just some example firewall rules, not a complete setup.
Also, it's better to reset connections to 113 than to deny them (reset
won't cause a timeout interval, but will just refuse the connection).
But I see no obvious reason why you would want to disable ident. It's
pretty trivial.

Regards,

Bart

--=20
Bart Matthaei                 bart@dreamflow.nl=20

Kiss me twice.  I'm schizophrenic.

--STPqjqpCrtky8aYs
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8fMnsgcc6pR+tCegRAo85AJ9cQVmjcwm7/xq98Cqlg/3GXAA7pACeIKZi
bPQ0GWeIPNnAle6YIPpVJSU=
=OVrH
-----END PGP SIGNATURE-----

--STPqjqpCrtky8aYs--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message