From owner-freebsd-security Sat May 26 15: 7:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 8A8E837B422 for ; Sat, 26 May 2001 15:07:16 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4QM7eo85752; Sat, 26 May 2001 18:07:41 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Sat, 26 May 2001 18:07:37 -0400 (EDT) From: Rob Simmons To: sthaug@nethelp.no Cc: jgross@stimpy.net, freebsd-security@FreeBSD.ORG Subject: Re: 'nother IPFW question In-Reply-To: <71473.990909998@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Since you cannot control other people's firewalls, you should also set the IDENT timeout to 0 seconds with the following line in /etc/mail/.mc define(`confTO_IDENT', `0s') This will prevent any delays in sending mail to a mailserver behind a firewall that blocks incoming port 113 without sending a RST. I also add an ipf rule to just send an RST if the connection was attempted to the IP address of my mailserver. All other IPs that are not running mailservices, I have set to drop the incoming port 113 traffic on the floor, since its most likely that person trying to connect is a spammer trying to relay mail off my servers. I like to waste spammer's time. :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Sat, 26 May 2001 sthaug@nethelp.no wrote: > > Augh! Why wouldn't you just have the firewall refuse the connection? It's a > > bad idea to pass anything through your firewall that you don't want on your > > internal network. > > If you can get your firewall to send a TCP RST, it make sense. If your > firewall simply drops the packet, you have just introduced quite a bit > of delay in many of your email transactions (while the mail server at > the other end waits for the IDENT request to timeout). > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ECksv8Bofna59hYRA9BnAJ49rB0/wM+WpCbsLUbBFIpphSLYKwCZASbe 9T51K5J/k/a8VG3dL5i4Sm0= =M91I -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message