Re: What to return for AUTH tcp/113 requests?

To: <moseley@hank.org>, <debian-firewall@lists.debian.org>
Subject: Re: What to return for AUTH tcp/113 requests?
From: "Josh Rollyson" <jrollyson@2mbit.com>
Date: Thu, 29 May 2003 14:24:43 -0000
Message-id: <[🔎] twig.1054218283.75137@2mbit.com>
In-reply-to: <[🔎] 20030529132248.GB401@hank.org>

moseley@hank.org said:

> I belive it's not good to just drop the auth (ident) requests -- IIRC it
> makes mail clients delay.
> 
> So the question is how should they be rejected?
> 
>    reject-with icmp-port-unreachable
> or
>    reject-with tcp-reset

tcp-reset - this is the behavior that a closed port normally gives.


> Of course, I don't have any good reasons not to just allow the auth
> requests.  Most will be for mail that's generated from behind a NAT and
> sent to the NAT/Firewall machine which runs exim as a smarthost, so the
> connections will belong to whatever exim is running as.  
> 
> I never thought about this, but do auth requests to ports that are 
> forwarded by a NAT machine get forwarded?  I suspect not.

not normally, but some identd servers have a forwarding function, look at
midentd and oidentd.

> BTW -- is there a utility to manually send an auth request?  That would
> help with testing the rules.

telnet or netcat ;) the requests are pretty simple, see
http://www.faqs.org/rfcs/rfc1413.html for details.

> -- 
> Bill Moseley
> moseley@hank.org
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 



-- 
--
Josh Rollyson
jrollyson@2mbit.com

Reply to:

References:
- What to return for AUTH tcp/113 requests?
  - From: moseley@hank.org

Prev by Date: Re: What to return for AUTH tcp/113 requests?
Next by Date: What to return for AUTH tcp/113 requests?
Previous by thread: Re: What to return for AUTH tcp/113 requests?
Next by thread: What to return for AUTH tcp/113 requests?
Index(es):
- Date
- Thread