Re: What to return for AUTH tcp/113 requests?
moseley@hank.org said:
> I belive it's not good to just drop the auth (ident) requests -- IIRC it
> makes mail clients delay.
>
> So the question is how should they be rejected?
>
> reject-with icmp-port-unreachable
> or
> reject-with tcp-reset
tcp-reset - this is the behavior that a closed port normally gives.
> Of course, I don't have any good reasons not to just allow the auth
> requests. Most will be for mail that's generated from behind a NAT and
> sent to the NAT/Firewall machine which runs exim as a smarthost, so the
> connections will belong to whatever exim is running as.
>
> I never thought about this, but do auth requests to ports that are
> forwarded by a NAT machine get forwarded? I suspect not.
not normally, but some identd servers have a forwarding function, look at
midentd and oidentd.
> BTW -- is there a utility to manually send an auth request? That would
> help with testing the rules.
telnet or netcat ;) the requests are pretty simple, see
http://www.faqs.org/rfcs/rfc1413.html for details.
> --
> Bill Moseley
> moseley@hank.org
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
--
Josh Rollyson
jrollyson@2mbit.com
Reply to: