[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to return for AUTH tcp/113 requests?

moseley@hank.org said:

> I belive it's not good to just drop the auth (ident) requests -- IIRC it
> makes mail clients delay.
> So the question is how should they be rejected?
>    reject-with icmp-port-unreachable
> or
>    reject-with tcp-reset

tcp-reset - this is the behavior that a closed port normally gives.

> Of course, I don't have any good reasons not to just allow the auth
> requests.  Most will be for mail that's generated from behind a NAT and
> sent to the NAT/Firewall machine which runs exim as a smarthost, so the
> connections will belong to whatever exim is running as.  
> I never thought about this, but do auth requests to ports that are 
> forwarded by a NAT machine get forwarded?  I suspect not.

not normally, but some identd servers have a forwarding function, look at
midentd and oidentd.

> BTW -- is there a utility to manually send an auth request?  That would
> help with testing the rules.

telnet or netcat ;) the requests are pretty simple, see
http://www.faqs.org/rfcs/rfc1413.html for details.

> -- 
> Bill Moseley
> moseley@hank.org
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Josh Rollyson

Reply to: