From owner-freebsd-security  Thu Mar 15 14:58:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 3456E37B718
	for <security@FreeBSD.ORG>; Thu, 15 Mar 2001 14:58:37 -0800 (PST)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA51686;
	Thu, 15 Mar 2001 14:58:01 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200103152258.OAA51686@gndrsh.dnsmgr.net>
Subject: Re: Port 113
In-Reply-To: <15025.15908.270320.373266@nomad.yogotech.com> from Nate Williams at "Mar 15, 2001 03:11:48 pm"
To: nate@yogotech.com (Nate Williams)
Date: Thu, 15 Mar 2001 14:58:00 -0800 (PST)
Cc: des@ofug.org (Dag-Erling Smorgrav),
	adam@algroup.co.uk (Adam Laurie), ronan@melim.com.br (Ronan Lucio),
	security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > > My local sendmail doesn't use *my* ident server, but remote sendmail
> > > servers use *my* ident server, so using ident locally speeds up mail
> > > transfers *to* my host.
> > 
> > No, the problem only arises if you drop TCP 113 SYNs to the floor
> > instead of rejecting them (ipfw deny instead of ipfw reset); the
> > server times out waiting for you to reply. If you send an RST or an
> > ICMP UNREACH back, it'll give up immediately.
> 
> Hmm, I remember a long time ago where it was said (urban legend) that
> even sending RST's confused older version of mail servers.

There have been several problems over time with ipfw reset and icmp
on FreeBSD not doing the right things.  I've seen several commits that
look like they may be addressing the problem but have not found the
time to test to see if they fixed it.

I know from first hand experience that using ipfw reset to try and
stop ident requests use to do little to nothing more than ipfw deny.

IIRC one of the problems I saw was that the icmp reset packet was
created with the address of the ipfw box, which caused it to be
ignored by the sending host.  Don't know if that ever got fixed or
not though.

> Running the 'fake' ident server hasn't caused any problems AFAIK. :) :)
> 
> 
> 
> 
> Nate
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message