Date: Sat, 26 May 2001 18:07:37 -0400 (EDT) From: Rob Simmons <rsimmons@wlcg.com> To: sthaug@nethelp.no Cc: jgross@stimpy.net, freebsd-security@FreeBSD.ORG Subject: Re: 'nother IPFW question Message-ID: <Pine.BSF.4.21.0105261801070.83983-100000@mail.wlcg.com> In-Reply-To: <71473.990909998@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Since you cannot control other people's firewalls, you should also set the IDENT timeout to 0 seconds with the following line in /etc/mail/<whatever>.mc define(`confTO_IDENT', `0s') This will prevent any delays in sending mail to a mailserver behind a firewall that blocks incoming port 113 without sending a RST. I also add an ipf rule to just send an RST if the connection was attempted to the IP address of my mailserver. All other IPs that are not running mailservices, I have set to drop the incoming port 113 traffic on the floor, since its most likely that person trying to connect is a spammer trying to relay mail off my servers. I like to waste spammer's time. :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Sat, 26 May 2001 sthaug@nethelp.no wrote: > > Augh! Why wouldn't you just have the firewall refuse the connection? It's a > > bad idea to pass anything through your firewall that you don't want on your > > internal network. > > If you can get your firewall to send a TCP RST, it make sense. If your > firewall simply drops the packet, you have just introduced quite a bit > of delay in many of your email transactions (while the mail server at > the other end waits for the IDENT request to timeout). > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ECksv8Bofna59hYRA9BnAJ49rB0/wM+WpCbsLUbBFIpphSLYKwCZASbe 9T51K5J/k/a8VG3dL5i4Sm0= =M91I -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0105261801070.83983-100000>