Date: Sat, 03 Apr 2010 00:59:54 -0700 From: perryh@pluto.rain.com To: m.seaman@infracaninophile.co.uk, freebsd-questions-local@be-well.ilk.org Cc: freebsd-questions@freebsd.org Subject: Re: Sendmail Five Second Greeting Delay Message-ID: <4bb6f57a.wld7n7exwvUX7%2Ba9%perryh@pluto.rain.com> In-Reply-To: <44iq89lo3v.fsf@be-well.ilk.org> References: <201004011751.27767.npapke@acm.org> <4BB58AC2.50009@infracaninophile.co.uk> <p2y2daa8b4e1004020533u16d3c5a5hc48eb7ec4ceea7b8@mail.gmail.com> <4BB62E5D.5030400@infracaninophile.co.uk> <44iq89lo3v.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> wrote: > Matthew Seaman <m.seaman@infracaninophile.co.uk> writes: > > Ident queries like this will cause a delay if the other side > > doesn't respond respond to the ident query ... > I consider it polite for firewalls to actively refuse to open > the connection (TCP reset) rather than just dropping the request, > though. There's really no downside to doing so. Other than giving port-scanners an affirmative indication that there is a device of some sort at the IP address involved. Some firewalls even drop pings for exactly this reason. If the request comes from an address to which I've recently* initiated a connection -- so he already knows that my address is currently alive -- I ought to either respond per protocol or reset. If it comes from who-knows-where, it may be safer to drop it. The ident protocol is useful for the purpose for which it was designed: to pass "whom to blame" info between servers which have reason to trust one another's identity (based on, e.g., stable IP addresses) and administration. Granted the circumstances in which these conditions are met are a lot less prevalent than they once were. * for some resonable definition of recently
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4bb6f57a.wld7n7exwvUX7%2Ba9%perryh>