What to return for AUTH tcp/113 requests?

To: debian-firewall@lists.debian.org
Subject: What to return for AUTH tcp/113 requests?
From: moseley@hank.org
Date: Thu, 29 May 2003 06:22:51 -0700
Message-id: <[🔎] 20030529132248.GB401@hank.org>

I belive it's not good to just drop the auth (ident) requests -- IIRC it
makes mail clients delay.

So the question is how should they be rejected?

   reject-with icmp-port-unreachable
or
   reject-with tcp-reset

Of course, I don't have any good reasons not to just allow the auth
requests.  Most will be for mail that's generated from behind a NAT and
sent to the NAT/Firewall machine which runs exim as a smarthost, so the
connections will belong to whatever exim is running as.  

I never thought about this, but do auth requests to ports that are 
forwarded by a NAT machine get forwarded?  I suspect not.

BTW -- is there a utility to manually send an auth request?  That would
help with testing the rules.


Thanks,


-- 
Bill Moseley
moseley@hank.org

Reply to:

Follow-Ups:
- Re: What to return for AUTH tcp/113 requests?
  - From: Raghavendra Bhat <ragu@asianetonline.net>
- Re: What to return for AUTH tcp/113 requests?
  - From: "Josh Rollyson" <jrollyson@2mbit.com>
- What to return for AUTH tcp/113 requests?
  - From: Bulent Murtezaoglu <bm@acm.org>
- Re: What to return for AUTH tcp/113 requests?
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: iptables to record bandwidth usage
Next by Date: Re: What to return for AUTH tcp/113 requests?
Previous by thread: Re: a question
Next by thread: Re: What to return for AUTH tcp/113 requests?
Index(es):
- Date
- Thread